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: A data processing system, apparatus anda data 

processing method are provided to verify and validate data. 
Cryptographic processes employ keys to encrypt the data, 
check the data and prevent tampering with the data. The 
data may include header information such as compressed 
contents or an expansion processing program used to process 
the data . efficiently — ascertain — that — data — a^ee — valid, — prevent 

encryption processing key data from leaking, eliminate 

illegal — tf-se — e£ — contents — data, — restrict — contents — utilization, 
apply — a — different — plurality — e£ — data — formats — te — contents — and 
efficiently — execute — reproduction — processing — e£ — compressed 

data . Tke — verification process — &£ — partial — data — is — executed 

by — collating — the — integrity partial — data — as — chock — values — §ef 

a combination partial data e-f a content , a nd the 

verification — process — e£ — the — entirety — e-f — the — combination — e# 
partial — data — i-s — executed — by — collating — part ial - integrity - 
check - value - verifying — integrity check values — that — verify the 

combination — e-f — the — partial — integrity — check values. Master 

ke ys — fee — generate — individual — keys — necessary — fene — a — process — e# 
such — as — data — e n cr yp tio n — a^ee — stored — if* — the — storage — section 

and — keys — arc — generated — as — required . An — illegal — device — list 

is stored in the header information e£ a content and 

referred — te — wh e n — data — i-s — used. Keys — specific — fee — a — data 

processing apparatus — and common — keys — a-re — stored and the — keys 

arc selectively used according te the content use 

restriction. Plural — content — blocks — a-aee — coupled, and — at- 

least a part e£ — t-he — content — blocks is applied — te — aft 

encryption process by an encryption key Kcon, then 

encryption key data that is =the encryption key Kcon 

encrypted by — an — encryption — key — Kdis — is — stored — tn — the — header 
section . A content — data — is made — of — compression — data — and an 



expansion — processing — program — o-e — a — combination — — types — e# 

compression programs a-nd tfee reproducing apparatus eaft 

determine — &b — expansion — program — applicable — t-e — a — compressed 
content . 
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DESCRIPTION 

DATA PROCESSINGS APPARATUS AND DATA PROCESSING METHOD 
Technical Fiold BACKGROUND OF THE INVENTION 

[0001] The present invention relates to a data processing 

apparatus, and a data processing method, and more particularly, 
to a method and apparatus for verifying that data constituting 
a data content arc is valid, that is, checking whether or not 
the data have has been tampered with —; as well as a method for 
imparting verification values^ and also to an apparatus and a 
method capable of enhancing security by generating individual 
keys necessary for encryption processing using master keys 
corresponding to their respective individual keys. Moreover 
the present invention provides a configuration that eliminates 
illegal usage of contents- data^ — mMore specifically, the 
invention relates to an' apparatus and a method capable of 
identifying illegal reproduction devices and eliminate ing 
illegal use of contents-. Furthermore, the present invention 
relates to an apparatus and a method capable of easily setting 
contents only available to" the data processing apparatus using 
contents- data and contents- data also available to other data 
processing apparatuses based on information specific to the 
data processing apparatus, etc. Still further, the present 
invention relates to a method, apparatus and verification 
value assignment method for verifying the validity of data 
configuring data contents, that is, verifying the presence or 
absence of tampering. 

[0002] Furthermore, the present invention relates to a data 

processing apparatus, a content data generating method, and a 
data processing method that realizes a content data 
configuration — enabling to provide and utilize content data 
under a — high security management . The content data is in a 
configuration in which data J_including at least any one of 
voice information, image information and program dataj_ is 

applied to encryption processing_. tThe content data is 

provided to a content user together with various kinds of 
header information, and the content user performs reproduction, 
execution, or storing processing in a recording device. 
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[0003] Still further, the present invention relates to a 

data processing apparatus, a data processing method and a 
content data generating method for providing a configuration 

for efficiently executing reproduction processing_. For 

instance, the — if* — fehe — case — ift — which data contents e^e — may be 
compressed voice data, image data or the like^ — a^tet _mMore 
specifically^ -#e3? — enabling — fee — have it enables a configuration 
of the content data in which compressed data and an expansion 
processing program are combined to retrieve and extract an 
applicable expansion processing program based on header 
information of compressed data contents in which an applied 
expansion processing program is stored as header information 
to execute reproduction processing. 

[0004] Further — yet, — feThe present invention further relates 
to a configuration and method for reproducing various contents- 
such as sounds, images, games, or programs which are available 
through various recording media^ — such — a-s_ The recording media 
include DVDs, — CDs^ — wire or radio communication means 
such as CATV, the Internet, e ^and satellite communication^ 
Reproduction occurs in a recording and reproducing device 
owned by of a user^ and — storing _fe:The contents are stored in an 
exclusive" recording device such as, for example, a memory card, 
a hard disk, or a CD - R, CD-ROM. realizing a — configuration for 
imposing — u s e — limitations — desired by — a — content — distributor — when 

a content stor e d irft feke recording device irs used, — , and 

providing — security — such — that — fe-he — distributed — content — will — not 

be illegally — used by a third — person other than regular 

users. Use limitations, such as limitations selected by a 
content distributor, are stored along with content to provide 
security such that the distributed content will not be 
illegally used. 
Background Art 

DESCRIPTION OF THERELATED ART 

[0005] Various data such as game programs, sound data, 
image data, or documenting programs (these are hereafter 
referred to as "contents") are now distributed via a network 
such as the Internet or via distributable storage media such 
as DVDs or CDs. These distributed contents can be stored in a 
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recording device such as a memory card or a hard disk 
which that is attached to a recording and reproducing apparatus 
such as a personal Gcomputer (PC) or a game apparatus that 
of4rS — owned by a user so that once stored, the contents can be 
reproduced from the storage media. 

[0006] The M main components of a memory card used in a 
conventional information apparatus such as a video game 
apparatus or a PC include a connect ion control means for 
controlling operations, a connector for connection to a slot 
connected to the connect ion control means and formed in the 
information apparatus, a and non-volatile memory connected to 
the control means for storing data 7 af*€t — others . The non- 
volatile memory provided in the memory card comprises , for 
example, an EE PROM, a—flash memory, or the like. 

[0007] Various contents such as data or programs that are 

stored in the memory card are invoked from the non-volatile 
memory in response to a user's command from an information 
apparatus main body such as a game apparatus or a PC_; _ which — is- 
The game apparatus or PC can be used as a reproduction 
apparatus or to respond to a user' s command provided via a 
connected input means^ — aral The contents are reproduced from 
the information apparatus main body or from a display, 
speakers, or the like which are connected thereto. 

[0008] Many — s-Software contents such as game programs, music 
data™ or image data generally have their distribution rights 
held by their creators or sellers. Thus, in distributing 
thesc this contents-, a configuration is generally used which 

places specified limitations on the usage_. tThat i-s means the 

use of software is permitted only for regular users so as to 
prevent unauthorized copying or the like^—^ In other words, 
that — is— security is taken into consideration. 

[0009] One method for realizing limitations on the use by a 

user is a process for encrypting a — distributed content. This 
process comprises a — means — — distributing various contents 
such as sound data, image data, or game programs which are 
encrypted, for example, via the Internet^ and decrypting athe 

distributed content that has been encrypted. content 

Decryption takes place only for people confirmed to be regular 
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users. Distributing the various content tke means 

corresponds^**^ to a configuration with a means for imparting a 
decryption key. 

[0010] Encrypted data can be returned t-e available 

decrypted de^- ainto, for example, 4plain text-) — obtained by a 
decryption process based on a predetermined procedure. Such aA 
data encrypting and decrypting method that uses an encryption 
key for an information encrypting process while using a 
decryption key for such a decryption process is conventionally 
known . 

[0011] There are various types of aspects of data 

encrypting and decrypting methods using an encryption key and 
a decryption key^ — afi_ One example is what — i-s- called a common 
key cryptosystem. The common key cryptosystem uses a common 
encryption key used for a data encrypting process and a common 
decryption key used for a data decrypting process and imparts 
these common keys us e d — for the encryption and decryption 
processesr to regular users while excluding data accesses- by 
illegal users that have no key. A representative example of 
this cryptosystem is the ©S3 — (-Data Encryption Standard-) - (PES) . 

[0012] The encryption and decryption keys used for the 

encryption and decryption processes are obtained, for example, 
by applying a one-way function such as a hash function based 
on a password or the like. The one-way function makes it 
difficult to determine its-the input of the function from 
j^ts- the output of the function . For example, a password decided 
by a user is used as an input to apply a one-way function so 
as to generate an encryption key and a decryption keys- based 
on aftthe output from the one-way function. Determining the 
password (which is the original data for the keys) from the 
thus — obtained — a — encryption and decryption keysT — t&e — password, 
which — — the — original — data — £e*? — t&e — keys , — is substantially 
impossible . 

[0013] In addition, a method called a "public key 

cryptosystem" uses different algorithms for a process based on 
an encryption key used for encryption and for a process based 
on a decryption key used for decryption. The public key 
cryptosystem uses a public key available to unspecified users 
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so that an encrypted document for a particular individual is 
decrypted using a public key issued by this particular user. 
The document encrypted with the public key can only be 
decrypted with a secret key corresponding to the public key 
used for the decryption process. Since the secret key is owned 
by the individual that has issued the public key, the document 
encrypted with the public key can be decrypted only by 
individuals having the secret key. A representative public key 
cryptosystem is the RSA (Rivest-Shamir-Adleman) encryption. 
[0014] The use of such a cryptosystem enables encrypted 
contents to be decrypted only for regular users. A 
conventional content distributing configuration employing such 
a cryptosystem will be described — i-n — brief with reference to 
Fig. 1. 

[0015] Fig. 1 shows an example of a configuration in which 

a reproduction means 10 such as a PC ( Personal Computer) — or a 
game apparatus reproduces a program, sound or video data, or 
the like (content) obtained from a data providing means such 
as a DVD7 — a or CD 30, or the Internet 40 and wherein data 
obtained from the DVD— or CD 30, Internet 40, or the like are 
stored in a storage means 20 such as a floppy disk, a memory 
card, a hard disk, or the like. 

[0016] The content^ such as a program^ — sound or video 

data^ ar cis provided to a user having the reproduction means 
10. A regular user obtains an encryption data as well as key 
data that are their encryption and decryption keys. 

[0017] The reproduction means 10 has a CPU 12 to reproduce 

input data by means of a reproduction process section 14. The 
reproduction process section 14 decrypts encrypted data to 
reproduce content such as a provided program^ and — the — content 
such as sound or image data. 

[0018] The regular user saves the content — such — a-s fcke 

program and data to the a— storage means 20 in order to use the 
provided program again. The reproduction means 10 has a 
saving s tor age process section 13 for executing this content 
saving s tor age process. The storage saving process section 13 
encrypts and saves the data in order to prevent the data 
stored in the storage means 20 from being illegally used. 
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[0019] A content encrypting key is used to encrypt the 

content. The saving s to rage process section 13 uses the content 
encrypting key to encrypt the content and then stores the 
encrypted content in a storage section 21 of the storage means 
20 such as a — (^floppy ^disk-}- (FD) , a memory card, or a hard 
disk . 

[0020] To obtain and reproduce the stored content from the 

storage means 20, the user obtains encrypted data from the 
storage means 20 and causes the reproduction process section 
14 of the reproduction means 10 to execute the decryption 

process using a content decrypting key_. tThat is, the 

decryption key is used in order to obtain and reproduce 
decrypted data from the encrypted data. 

[0021] According to the . conventional example of the 

configuration shown in Fig. 1, the stored content is encrypted 
in the storage means 20 _[such as a floppy disk or memory card| 
and thus cannot be read externally. When, however, this floppy 
disk is to be reproduced by m o ans — e£ a reproduction means of 
another information apparatus^ such as PC or game apparatus, 
the reproduction is impossible unless the reproduction means 
has the same content keyT — that — ars- r (i.e., the same decryption 
key for decrypting the encrypted contentJ_. Accordingly, to 
implement a form available to a plurality of information 
apparatuses, a common decryption key must be provided to users 

[0022] The use of a common content encrypting key, however, 

means that there will be a higher possibility of — disorderly 
distributing the encryption process key to users not having a 
regular license. Consequently, it may not be possible to 
prevent the illegal use of the content by users not having the 
regular license — cannot — be — prevented^ — and Thus, it will be 
difficult to exclude the illegal use in PCs, game apparatuses, 
or the like by users who which do not have the regular license 

[0023] In case that key information locks leaks from one of 

the apparatuses, the use of common content encrypting key and 
decryption key can cause damage to the whole system which 
utilizes the keys^ 

[0024] Furthermore, in an environment using a common key as 

described above, it is possible to easily copy, for example, a 
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content created on a certain PC and initially saved to a 
storage means such as a memory card or floppy disk, to 
anothcr a second floppy disk. Consequently, a — **se — form — using 
the second copied floppy disk instead of the original content 
data will be possible— so that a large number of copied 
content data available to information apparatuses such as game 
apparatuses or PCs may be created or tampered. 

[0025] A method which is conventionally used which 

contain includes a verifying an integrity check value in 

content data f or to check ing the validity of the data—. Ttrhat 
is, in order to determine whether or not the data have been 

tampered a**d which then cauocs with, a recording and 

reproducing device tre collate^ an integrity check value 

J_generated based on the data to be verifiedj_ with the 
integrity check value contained in the content data to verify 
the data . 

[0026] The integrity check value for the data contents-, 

however, is generally generated for the entire set of data—, 
aftd — eCollating the integrity check value generated for the 
entire set of data requires a integrity check value to be 
generated for the entire set of data to be checked. If, for 
example, a integrity check value J_ICV)_ is to be determined 
using a Message Authentication Code (MAC) generated in a DES- 
CBC (Cipher Block Chaining) m ode, the DES CBC process must be 
executed on the entire set of data. The amount of such 
calculations increases linearly with the data length, thereby 
disadvantageously reducing processing efficiency. 
Description of the Invcntion SUMMARY OF THE INVENTION 

[0027] The present invention solves the above problems ±tt 

a -with the conventional art ^ and — is — to — The present invention 
provides, as a first object of the invention , a data 
processing apparatus and method and a data verifying value 
imparting method, which efficiently confirms the validity of 
data and efficiently executes a download process for a 
recording device . The download process is executed after the 
verification^— _aA reproduction process is also executed after 
the verification— along with — aftd other processes-? — as — well — as-^ 
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Aet program providing medium for use in this apparatus and 
these methods is also presented . 

[0028] Furthermore, as techniques for limiting the use of 

contents- data to authorized users, various kinds of encryption 
'processing are available^ such as data encryption, data 
decryption, data verif icat ion- and signature processing. 
However, executing these kinds of encryption processing 
requires common secret information r . F-#or example, common 
secret information is used in key information applied to 
encryption and decryption of contents- data A or to an 

authentication key used for authentication %e be shared 

between two apparatuses! that — ie-r (i . e . , apparatuses between 

which contents- data is transferred or apparatuses between 
which authentication processing is executed_)_. 

[0029] Therefore, in the case where key data— J_which is 

shared secret information!, is leaked from either of the two 
apparatuses, the contents- encryption data Jusing the shared 
key information! can also be decrypted by a third party who 
has no license, thus allowing illegal use of contents. The 
same is true for the case where an authentication key is 

leaked 7 which will This can lead to establish ing an 

authentication for an apparatus with no license. Leakage of 
keys, therefore, has consequences that threat ening the entire 
system. 

[0030] The present invention is intended to solve these 

problems . 

[0031] The second object of the invention is to provide a 

data processing apparatus, data processing system and data 
processing method with enhanced security in encryption 
processing. The data processing apparatus of the present 
invention does not store individual keys necessary to execute 
encryption processing such as data encryption, data decryption, 
data verification, authentication processing and signature 
processing in a storage section—. Instead, the data processing 
apparatus stores master keys to generate these individual keys^ 
The master keys are stored in the storage section — instead and 
allows an encryption processing section to generate necessary 
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individual keys based on the master keys and identification 
data of the apparatus or data. 

[0032] Furthermore, it is possible to maintain a certain 

degree of security by supplying data encrypted contents — data 
encrypted . However, in the case where various encryption keys 
stored in memory are read and leaked through illegal reading 

of memory, key data, etc. is leaked and copied on a 

recorder/reproducer without any authorized license, contents 
may be illegally used using the copied key information. 

[0033] It is thc a third object of the present invention to 

provide a data processing apparatus, data processing method 
and contents data generation method in a configuration capable 
of excluding such illegal reproducers - ■ T-fehat is, a 

configuration that is capable of identifying illegal 
reproducers and not allowing the identified illegal 
reproducers to execute processing such as reproduction and 
downloading of contents- data. 

[0034] Furthermore, techniques for limiting the use of 

contents- data to authorized users include encryption 
processing using predetermined encryption keys, for example, 
signature processing. However, conventional encryption 

processing using signature processing generally has a 
signature key common to all entities using the contents in a 

system^ — af*d — & Such a common signature key allows different 

apparatuses to use common content^ — which — involves — a — problem 
e £ This can lead ing to illegal copies of contents . 

[0035] It is possible to store encrypted contents encrypted 

using a unique password, etc., but the password may be stolen. 
It is also possible to decrypt e the same encrypted data 
content^ data by entering e the same password through different 
reproducers ". However, but it is difficult for a conventional 
security configuration to implement a system that can identify 
a reproducer ^ ethat only allows only the reproducer to use the 
contents . 

[0036] The present invention has been implemented to solve 

the above problems of the prior arts — a**d. ±It is ttea fourth 
object of the present invention to provide a data processing 
apparatus and data processing method capable of allowing only 
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a specific data processing apparatus to reproduce contents 
according to contents utilization restrictions . This is done 
by making it possible to selectively use both an apparatus- 
specific key, which is specific to a data processing apparatus^ 
and a system common key, which is common to other data 
processing apparatuses . 

[0037] Furthermore, hero aes- encryption processing of 

content data is used as a method of limiting utilization of 
content data to only authorized users. However, there are 
various kinds of content data_^ such as voice information, 
image information and program data 7 — and . tThere are various 
kinds of contents in cases such as a — case — if* — which (a) where 
all content data is required to be encrypted^ and (b) a — case — ±-n 
which where a part requiring encryption processing and a part 
not requiring encryption processing are mixed. 

[0038] Applying encryption processing uniformly to — ouch 
various contents- may generate unnecessary decryption 
processing in reproduction processing of the contents 7 — e-r . It 
may also generate unfavorable situations in terms of 
processing efficiency and processing speed. For example, for 
data such as music data feein which real time reproduction is 
essential, it is desirable to have a content data structure 
that can tee — applicd apply decryption processing in high speed 
processing speed . 

[0039] The present invention solves such problems. It is 

fehea fifth object of the present invention to provide a data 
processing apparatus, a content data generating method and a 
data processing method — that — enables to apply — fee — a — content 
various data structures corresponding to types of content data 
to specific content. In other words , — i.e., various different 
data formats are provided corresponding to the content^ — and 
This enables generation and processing of content data in a 
manner that has high security and easy to tee — utilized in 
reproduction, execution and the like. 

[0040] Furthermore, voice data, image data and the like 

that are decrypted are then outputfeed to an AV output section 
to be reproduced. Nowadays, often times, — many — e# contents 
ctfeis compressed and stored in a storage medium or distributed. 
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It is therefore necessary to expand the compressed data before 
reproducing it . For example, if voice data is MP - 3 — compressed 
in the MP-3 format , the voice data i^s -will be decrypted by a 
MP3 decoder to — be — output . tod — il_f content data is image data 
which is MP - 3 compressed in the MP-3 format , the voice data is 
expanded by a MPEG2 decoder to be output. 

[0041] However, as there are various kinds of compression 

processing and expansion processing programs, even if 
compressed data is provided from a content provider via a 
medium or a network, it 4r &can be impossible to reproduce the 
data with a reproducing apparatus that does not have a 
compatible expansion program. 

[0042] It is tfeea sixth object of the present invention to 

provide ' a configuration for efficiently executing reproduction 
processing of compressed data—. -fcThat is, a data processing 
apparatus, a data processing method and a content data 
generating method for efficiently executing reproduction 
processing are presented in the case in which the content-s- 
ard s compressed voice data, image data or the like. 

[0043] The foregoing objects and other objects of the 

invention have been achieved by — fe&e — provision — e-f providing a 
data processing apparatus and a data processing method. 

[0044] A first aspect of the present invention is-f- a data 
processing apparatus for processing content data . The content 
data is provided by a recording or communication medium^— 

characterized — if* that said The data processing apparatus 

comprises-^ a cryptography process section for executing a 
cryptography process on the content datat and a control 
section for executing control for the cryptography process 
section^ — a**d_ trThe cryptography process section-* — i-s — configured 
te generates partial integrity check values as integrity check 
values for a partial data set containing efte — e^e — more — partial 
data obtained by a content data-constituting section . The 
content data-constituting section assembles partial data into 
a plurality of parts . The cryptography process section , 
collate^ the — generated integrity check values to verify the 
partial data, generates an intermediate integrity check value 
based on a partial integrity check value set — data — string 
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containing at least one or moro of the partial integrity check 
values, and uses the — generated intermediate integrity check 
value to verify the — entirety — e-f — the — plurality — e# partial data 
sets — corresponding — fee — the — plurality — e^ — partial — integrity — check 
values — constituting — the partial integrity check value — s-efe . 
[0045] Further, one embodiment of the data processing 
apparatus according to the present invention is characterized 
in that the partial integrity check values is are generated by 
means of a cryptography process with a partial-check-value- 
generating key applied thereto T _. The cryptography process 

uses using partial data — fee — fee — checked, as a message^— _ feThe 
intermediate integrity check value is generated by means of 
a- the cryptography process with an general-check-value- 
generating key applied thereto, using a — the partial integrity 
check value set data — string — fee — be checked, as a — the m essage. -r 
arnd_ feThe cryptography process section is configured to store 
the partial- — integrity — cheeky — value-generating key valuo and 
the general^ integrity checks—value -gene rating key . 
[0046] Further, eft eanother embodiment of the data 

processing apparatus according to the present invention is 
characterized in that the cryptography process has plural 
types of partial-check-value-generating keyjs corresponding to 
said geno rated partial integrity check values. 

[0047] Further, ene Another embodiment of the data 

processing apparatus according to the present invention is 
characterized in that the cryptography process is a DES 
cryptography process^ — and_ feThe cryptography process section 
is configured to execute the DES cryptography process. 
[0048] Further, one yet another embodiment of the data 

processing apparatus according to the present invention is 
characterized in that the partial integrity check values i-s- 
are a— message authentication codes (MAC) ■ The MAC is generated 
in a DES-CBC mode using said partial data to be checked— as a 
the m essage r . feThe intermediate integrity check value is one 
of the— a message authentication codes (MAC) generated in a— the 
DES-CBC mode using a — the partial integrity check value set 
data — string — fee — be — checked, as a — the m essage. 7 — a**d — fe T he 


- 12 - 


cryptography process section is configured to execute the 
cryptography process in the DES-CBS mode. 

[0049] Further, in another ono embodiment of the data 

processing apparatus according to the present invention^ i-s 
characterized — ana — that — Triple PES is applied in part of a 
message string to be processed in the DES-CBC mode-based 
cryptography process — configuration of the — cryptography process 

section, Tri p l e — BBS — 3rS — applied — only — if* — part — e-£ — a — message 

string to be processed . 

[0050] Further, eae in another embodiment of the data 

processing apparatus according to the present invention^ i-& 
characterized — i-n — that — the data processing apparatus has a 
signature key . - , — and — tThe cryptography process section is 
configured .to apply a value generated from the intermediate 
integrity check value by means of the signature key- applied 

cryptography process as a collation value for data 

verification . 

[0051] Further, onc Yet another embodiment of the data 

processing apparatus according to the present invention is 
characterized in that the data — processing — apparatus signature 
key has a plurality of different signature keys^— a-s — signature 
keys, — and t T he cryptography process section is configured to 
apply one of the plurality of different signature keys_^ which 
is selected depending on a localization of the content data, 
to the cryptography process for the intermediate integrity 
check value in order to obtain the collation value for data 
verification. 

[0052] Further, in another on o embodiment^ e-i the data 

processing apparatus according to the present invention — ir& 
characterized — irH — that — the — data — processing — apparatus has a 
common signature key common to all entities of a system for 
executing a data verifying process^ — af*d The data processing 
apparatus also has an apparatus-specific signature key 
specific to each apparatus that executes a — the data verifying 
process . 

[0053] Further, onc yet another embodiment of the data 

processing apparatus according to the present invention is 
characterized in that the partial integrity check values 
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contains at least one — — more header section integrity check 
values-. The header section integrity check value is generated 
for intra-header-section data partly constituting data^ — a**d 
The partial integrity check values also contain at least one 
e-r — more content integrity check values generated for content 

block data partly constituting the data^ 7 a-nd 1 T he 

cryptography process is configured to generate at least one or 
more header section integrity check values- for the a- partial 
data set in the intra-header-section data to execute a — the 
collation process^- The cryptography process also generates at 
least one — — more content integrity check values- for said a 
partial data set in the intra-content-section data to execute 

a said collation process^ aftd — # F urther , the cryptography 

process generates a general integrity check value based on all 
of the header section integrity check values and the content 
integrity check values — generated, to execute a- the collation 
process in order to verify the data. 

[0054] Further, one embodiment of the data processing 

apparatus according to the present invention is characterized 
in that the partial integrity check values contains- at least 
one — en? — more header section integrity check value-s- generated 
for intra-header-section data partly constituting data^ — — t- 
The cryptography process is configured to generate at least 
one — — more header section integrity check value-s- for the e 
partial data set in the intra-header-section data to execute a 
collation process^ — a-f*d — The cryptography process further 
generates a general integrity check value based on the at 
least on — the one or more header section integrity check values 

generated and on content block data_. The content block data 

constitutes ing part of the data 7 — . te — execute — a The collation 
process is executed in order to verify the data. 

[0055] Further, eeean embodiment of the data processing 

apparatus according to the present invention — is — characterized 
by further comprise s ing a recording device for storing data 
validated by the cryptography process section. 

[0056] Further, eae Another embodiment of the data 

processing apparatus according to the present invention is 
characterized in that — the — control — section — is — configured — se 
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that — ±£ — i-n — the — process — executed — by — fehe — cryptography — process 

section — fee — collate — fehe — partial — integrity — check — value, fehe 

collation — i-s — f*efe — established, — and the control section suspends 
the — process — fen? storing of the data in the recording device if 
a process of collating the partial integrity check values is 
not established in the cryptography process executed by the 
cryptography process section . 

[0057] Further, yet another ono embodiment of the data 

processing apparatus according to the present invention — is- 

charactcrizcd by further comprising includes a reproduction 

process section for reproducing data validated by the 
cryptography process section. 

[0058] Further, one embodiment of the data processing 

apparatus according to the present invention is characterized 
in that if — ±-R — fehe — process — execu ted by the — cryptography process 

section — fee — collate — the — partial — integrity — check — value, the 

collation — i^s — F*efe — established, — and the control section suspends 

reproducing of the data the reproduction process in the 

reproduction process section if a process of collating the 
partial integrity check values is not established in the 
cryptography process executed by the cryptography process 
section . 

[0059] Further, Another ono embodiment of the data 

processing apparatus according to the present invention — is- 
characterized — by — comprising further includes a control means^ 
The control means for — collates ing only the header section 
integrity check values in the data during the cryptography 
process executed by the cryptography process section to 

collate the partial integrity check values_. The control means 

then and transmitt s transmitsi f^ to the reproduction process 
section the data for which collation of the header section 

integrity check values has been establishedT fee — the 

reproduction process — section — — reproduction . 

[0060] Moreover, a second aspect of the present invention 

is a data processing apparatus for processing content data 
provided by a recording or communication medium^— 
characterized — if* — that — said The data processing apparatus 
comprises-;- a cryptography process section for executing a 
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cryptography process on the content data-r and a control 
section for executing control for the cryptography process 
section^ — an d If the data to be verified is encrypted data; 

then the cryptography process section-; ±s configured t-e 

gene rate s-r4r€ — data — fee — fee — verified — a^e — encrypted/ integrity 
check values for the data — fee — fee — verified by means of a 
signature data-applied cryptography process . The cryptography 
process section generates the integrity check values from data 
on arithmetic operation results obtained by executing an 
arithmetic operation process on decrypted data obtained by 
executing a decryption process on the encrypted data. 
[0061] Further, one embodiment of the data processing 

apparatus according to the present invention is characterized 
in that the arithmetic operation process comprises performing 
an exclusive-OR operation on the decrypted data at — every 
predetermined bytes^ — fe T he decrypted data bcing is obtained by 
decrypting the encrypted data. 

[0062] Moreover, a third ombodimcnt aspect of the present 
invention is a data processing method for processing content 
data provided by a recording or communication medium . 7- T he 

method being — characterized — ±-r — that said — method : generates 

partial integrity check values as integrity check values for a 
partial data set . The partial data set containift§s on e or mor e 
partial data obtained by a content data—constituting section^ 

into — a — plurality — &£ — parts , and The method collates the 

gen e rated integrity check values to verify the partial data— 
and generates an intermediate integrity check value based on a 
partial integrity check value set — data — string . The partial 
integrity check value set containsi**^ at least one — e^e — more of 
the partial integrity check values^ — and The method uses the 
generated intermediate integrity check value to verify the 
entirety — — fene — plurality — e# partial data sets- corresponding 
to the — plurality — partial integrity check values using the 

intermediate integrity check value constituting fehe — partial 

integrity check value set . 

[0063] Further, one embodiment of the data processing 

method according to the present invention is characterized in 
that the partial integrity check values areie generated by 
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means of a cryptography process^ with a A partial -check- value - 
generating key is applied thereto, using the partial data — fee 
fee — checked, as a message^ — ctftd — fe- T he intermediate integrity 
check value is generated by means of the e cryptography process 
with aft general-check-value-generating key applied thereto^— 
using a A partial integrity check value set data — string — to be 
checked, is used as a the message. 

[0064] Further, efte another embodiment of the data 

processing method according to the present invention is 
characterized in that the partial integrity check values areis- 
generated by applying different types of the partial-check- 

value-generating key-s- corresponding to generated partial 

integrity check values . 

[0065] Another Further, efte- embodiment of the data 

processing method according to the present invention is 
characterized in that the cryptography process is a DES 
cryptography process . 

[0066] Further, in ono yet another embodiment of the data 

processing method according to the present invention^ ±-& 

characterized ift that the partial integrity check values 

include d a message authentication code — (MAC) generated in a 

DES-CBC mode using the partial data fee — be — ch e cked; as a 

message^ — and t T he intermediate integrity check value is a- the 
message authentication code — (MAC) generated in thea DES-CBC 
mode using thea: partial integrity check value set data — string 
to be checked, as the ar message. 

[0067] Further, onc another embodiment of the data 

processing method according to the present invention is 
characterized in that a value generated from saidfe -he 
intermediate integrity check value by means of a signature 
key-applied cryptography process is applied as a collation 
value for data verification. 

[0068] Yet another Further, one embodiment of the data 

processing method according to the present invention is 
characterized in that^ in order to obtain the collation value 
for data verification, different signature keys are applied to 
the cryptography process for the intermediate integrity check 
value depending on a localization of ^t-he — content data. — The 
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different signature keys are applied to obtain the collation 
value for data verification. 

[0069] Further, et*e another embodiment of the data 

processing method according to the present invention is 
characterized — ±^ — that further includes selecting and using one 
of a common signature key common to all entities of a system 
for executing a data verifying process and — — an apparatus- 
specific signature key specific to each apparatus that 
executes thee data verifying process . The selecting step is 
based — is — selected — a-Rrd — used — as — feke — signature — key — depending — on 
the localization of the content data. 

[0070] Further, onc another embodiment of the data 

processing method according to the present invention is 
characterized in that the partial integrity check values 
contains- at least one e*r — more — header section integrity check 
values generated for intra-header-section data partly 
constituting data and at least one — en? — more content integrity 
check values generated for intra-content-section data partly 
constituting the data^ — af*d_ The method also includes a — data 
v e rifying — process — gencratcs generating at least one — e^e — m ore 
header section integrity check value-s for thee partial data 
set in the intra-header-section data to execute a collation 
process_ L T-_ The method also generates at least one — e-r — more 
content integrity check value-s- for the e partial data set in 
the intra-content-section data to execute ethe collation 
process^ — a**d_ The method further generates a general integrity 
check value based on all of the header section integrity check 
values and the content integrity check values^ — generated, 
wherein the general integrity check value is operable to 
execute the e collation process in order to verify the data. 

[0071] Further, ero Yet another embodiment of the data 

processing method according to the present invention is 
characterized in that the partial integrity check values 
contains- at least one — more header section integrity check 

values generated for intra-header -section data partly 

constituting data -tThe data verifying process 

comprio cs includes generating at least one e-*? — more header 

section integrity check value-s- for thee partial data set in 
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the intra-header-section data to execute a collation processor 
and_ The data verifying process further generates ing a general 
integrity check value based on the at least the one er — more 
header section integrity check value-s generated and on content 
block data constituting part of the data^— This is done to 
execute a collation process in order to verify the data. 
[0072] Further, ono another embodiment of the data 

processing method according to the present invention is 

charactcrizcd — by — further — comprising includes — a — process — for 
storing, — after data — verification, storing validated data after 
verifying the partial data set . 

[0073] Further, in ono another embodiment of the data 

processing method according to the present invention^ — is 
characterized — in — that if the collation is not established in 
the process for collating the partial integrity check values, 
the — collation — is — net — established, then — control — is — executed 
such — as — to — suspend — the — process — £e-ae storing validated data in 
the recording device is suspended . 

[0074] Further, onc yet another embodiment of the data 

processing method according to the present invention is 

charact e rized — by — further comprises^ a data reproduction 

process — — reproducing data after verifying the partial data 
vcrif i cat i on set . 

[0075] Further, another ene embodiment of the data 

processing method according to the present invention includes 
is — characterized — if* — that — suspending the reproducing of the 
data if collating of the partial integrity check values is not 

established i£ in the process fe* collating the partial 

integrity check — value, the collation is net established, 

control is ex e cuted such — a^s te suspend the reproduction 

process — executed in the — reproduction process — section . 

[0076] Further, one embodiment of the data processing 

method according to the present invention is characterized 
wherein in — that — said — method collating of the collatcs — only — the 
header — section partial integrity check values only collates 
header section in the — data during the — process — fe-E — collating the 
partial integrity check values and transmits the data for 
which collation of the header section integrity check values 
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has been established— to a thc reproduction process section for 
reproduction . 

[0077] Moreover, a fourth aspect of the present invention 
is a data processing method for processing content data 
provided by a recording or communication medium^— The tho 

method comprises bcing characterized ift that said method : 

decrypting encrypted data to be verified to obtain decrypted 
data; i-f — data — fee — be — verified — a^e — encrypted, — executes executing 
an arithmetic operation process on the decrypted data to 
obtain re suits obtained — by — decrypting — fehe — encrypted — data, ; and 
executes executing a signature key-applied cryptography 

process — en data on arithmetic — operation the results — obtained 

fey — fehe arithmetic operation, to generate integrity check 

values for the data to be verified. 

[0078] Further, in one embodiment of the data processing 

method according to the present invention — a^s — characterized — ift 
that the arithmetic operation process comprises performing an 
exclusive-OR operation on the decrypted data every at 

predetermined bytesT fehe — decrypted — data — being — obtained — by 

decrypting the — encrypted data . 

[0079] Moreover, a fifth aspect of the present invention is 

a data verifying value imparting method for a data verifying 
process^- characterized — in — that — said The m ethod includes- r 
impart ing imparts partial integrity check values as integrity 
check values for a partial data set. The partial data set 
contain ing ene — or — more — partial data obtained by a content 
data- — constituting section — into — a — plurality — e^ — parts, . The 
method also includes a**d imparts imparting — fee — data — fee — verified, 
an intermediate integrity check value to data to be verified. 
The intermediate integrity check value is used to verify a 
partial integrity check value set — data — string containing at 
least one or more of the partial integrity check values. 

[0080] Further, one embodiment of the data verifying value 

imparting method according to the present invention is 
characterized in that the partial integrity check values irs- are 
generated by means of a cryptography process with a partial- 
check-value-generating key applied thereto, using the partial 
data fee — be — checked, — as a message^ — The intermediate 
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integrity check value is generated by means of the e 
cryptography process with e**a general-check-value-generating 
key applied thereto, using thee partial integrity check value 
set data string to be checked, as the e message. 

[0081] Further, in one embodiment of the data verifying 

value imparting method according to the present invention^ — is 
characterized in that the partial integrity check values arei s 
generated by applying different types of the partial-check- 
value-generating keys corresponding to genorated the partial 
integrity check values. 

[0082] Further, in one embodiment of the data verifying 

value imparting method according to the present invention^ is 

characterized if* that the cryptography process is a DES 

cryptography process . 

[0083] Further, in another onc embodiment of the data 

verifying value imparting method according to the present 

■invention^ — is characterized — in — that the partial integrity 

check values include is a message authentication code (MAC) 
generated in a DES-CBC mode using the partial data — te> — fee 
checked, as a message, and the intermediate integrity check 
value is e the message authentication code (MAC) generated in 
e the DES-CBC mode using e the partial integrity check value set 
data string to be — ch e cked, — as e the message. 

[0084] Further, in another ene embodiment of the data 

verifying value imparting method according to the present 
invention-is — characterized in that ^ a value generated from the 
intermediate integrity check value by means of a signature 
key-applied cryptography process is applied as a collation 
value for data verification. 

[0085] Further, in yet another onc embodiment of the data 

verifying value imparting method according to the present 
invention^ is — characterized — i-R — that different signature keys 
are applied to the cryptography process for the intermediate 
integrity check value to obtain the collation value, the 
different signature keys being applied depending on a 

localization of the — content data 7 fee — obtain — tfee — collation 

value — for data verification . 
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[0086] Further, one embodiment of the data verifying value 

imparting method according to the present invention further 
comprising selecting either- is — characterized — ana — that a common 
signature key common to all — entities — of a system for executing 
a — data — verifying — process or an apparatus-specific signature 
key specific — to each — apparatus — that — executes — a — data — v e rifying 
process — ±-s — selected and used as one of the different signature 
key_s depending on the localization of the content data . The 
common signature key is common to all entities of a system for 
executing the data verifying process. The apparatus-specific 
signature key is specific to each apparatus that executes the 
data verifying process . 

[0087] Further, in another e^e embodiment of the data 

verifying value imparting method according to the present 
invention^ 4=s — characteriz e d — ana — that the partial integrity 
check values contains- at least one — ef — more header section 
integrity check values for ±r— intra-header-section data partly 
constituting data and at least one — — mor e content integrity 
check valuer generated for intra-content-section data partly 
constituting the data^- and The^ t&e method further comprises is- 
set — so — that — a generating a general integrity check value is 
gencrated to verify the data for ail — the at least one header 
section integrity check values and the at least one tr&e content 
integrity check valuer — to verify the data . 

[0088] Further, one embodiment of the data verifying value 

imparting method according to the present invention is 

characterized wherein^ that the partial integrity check 

values contains- at least one — or more header section integrity 
check values for intra-header-section data partly constituting 
data, and the method further comprising generating irs — se^fe — so 
that a a general integrity check value is generated for the at 
least tho one or more header section integrity check values and 
content block data partly constituting the data 7 — to verify the 
data . 

[0089] Moreover, a sixth aspect of the present invention is 

a recording program providing medium recorded withi es — providing 
a computer program for causing — a data verifying process — to be 
executed executing a data verifying process having certain 
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actions. The actions comprise en — a — computer — system to — verify 

that — data — a^e — valid, the program — providing — medium — being 

characterized in that — the — computer program comprises — stops — 
executing a collation process using partial integrity check 
values generated as integrity check values for a partial data 
set containing eae — — more — partial data — obtain e d — by — dividing 
data — a — plurality — o£ — parts , and using an intermediate integrity 
check value based — eft — a — partial — integrity — check — value — set: 
obtained — by — combining — a — plurality — — feh-e — partial — integrity 
check — values — together, — to verify the entirety — e-f — a — plurality 
e£ — partial data set-s- . The intermediate integrity check value 
is based on a partial integrity check value set obtained by 
combining at least some of the partial integrity check values 
together, and the partial data set corresponding to the 
plurality — partial integrity check values constituting the 
partial integrity check value set. 

[0090] A seventh aspect of the present invention is a data 

processing apparatus including an encryption processing 
section that executes one encryption processing including e# at 
least one of data encryption, data decryption, data 
verification, authentication processing and signature 
processing and a storage section that stores master keys to 
generate keys used for the encryption processing^r 
characterized in that Thet rhe encryption processing section is 
configured to generate individual keys for executing ncccssary 
^te — execute the encryption processing based on one of the 
master keys L a-ftd — identification data — &£ — th-e — apparatus — e* — data 
subject — to an encryption processing target apparatus, and data 
identification data . 

[0091] According to another embodiment of the data 

processing apparatus of the present invention, the data 

processing apparatus i-s a data — processing apparatus that 

encryption processing section performs the encryption 
processing on transfer data via a recoding medium or a 
communication medium^- characterized — if* — that The tho storage 
section stores a distribution key generation master key MKdis 
for generating a distribution key Kdis . The distribution key 
Kdis is used for the encryption processing of the transfer 
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data^ aftd — fe& e The encryption processing section executes the 
encryption processing based on saidt -he distribution key 
generation master key MKdis^ stored — ifi — tke — storag e — section and 
a data identifier^— The data identifier which — is- includes 
identification data of the transfer data — aftd — generates — feke 
transfer data distribution key Kdis . 

[0092] Furthermore, according to another embodiment of the 

data processing apparatus of the present invention, the data 

processing apparatus ±s a data — processing apparatus that 

performs authentication processing of an externally connected 
apparatus — to/from which data is transferred to or from. T 

characterized in that The t&e storage section stores an 

authentication key generation master key MKake for generating 
an authentication key Kake of the externally connected 
apparatus^ and The the encryption processing section executes 
the encryption processing based on the authentication key 
generation master key MKake — stored — in — the — storage — section and 
an identifier of the externally connected apparatus^ which is 
The externally connected apparatus identifier including 
identification data of the externally connected apparatus — a**d 

generates th-e aut h en tication — key Kake fcfee externally 

connected apparatus . 

[0093] Furthermore, according to another embodiment of the 

data processing apparatus of the present invention, the 

encrypt iont rhe data processing section apparatus is a data 

processing — apparatus — that performs the signature processing on 
data^— characterized — if* — that — fch-e The storage section stores a 
signature key generation master key MKdev for generating a 
data processing apparatus signature key Kdev of the data 

processing apparatus^ end the The encryption processing 

section executes the signature encryption processing based on 
the signature key generation master key MKdev stored — in — the 
storage — section — and an — data processing apparatus identifier. 
The data processing apparatus identifier including of the — data 
processing — apparatus , — which — is- identification data of said tho 
data processing apparatus — and — generates — trhe — data — processing 
apparatus signature key Kdev of the data processing apparatus . 
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[0094] Furthermore, according to another embodiment of the 

data processing apparatus of the present invention, the 
encryption processing section performs individual key 
generation processing to that generates- a** individual key^s 
necessary — fee — execute f or executing encryption processing based 
on the master key^s and identification data_^ — — fehe — apparatus 
e-r — data — subject — fee — encryption — processing — i-s- The encryption 
processing — that uses — afe — least — part — e-f identification data — e£ 
fehe — apparatus — — data — subject — fee — encryption — processing as a 
message and applies the master keys^ as the encryption keys. 

[0095] Furthermore, according to another embodiment of the 

data processing apparatus of the present invention, the 
encryption processing usesis — encryption proc e ssing — using a DES 
algorithm. 

[0096] Furthermore, an eighth aspect of the present 

invention is a data processing system comprises a plurality of 
data processing apparatuses, configured by — a — plurality — e£ — data 

processing — apparatuses , characterized — i-n — that each — e-f — the 

plurality — e£ — data — processing — apparatuses — h-as — a common master 
key to generate a key used for encryption processing 
including o£ at least one of data encryption, data decryption 
data verification, authentication processing and signature 
processing (each of said plurality of data processing 
apparatuses having said common master key) , and — each — — fehe 
plurality — e-£ — data — processing — apparatuses — generates a common 

individual key for executing ncccssary fee execute the 

encryption processing based on the master key and 
identification data . Each of the plurality of data processing 

apparatuses generating the common individual key &£ fehe 

apparatus — or data — sub j ect — to encryption processing . 

[0097] Furthermore, according to another embodiment^ of the 

data processing system of the present invention— further 

comprises the — plurality — ef — data — processing — apparatuses ±-& 

configured — by a contents data providing apparatus operable to 
configure the plurality of data processing apparatuses and to 

supply that supplies contents data^_ and The system also 

includes a contents data utilization apparatus that utilizes 
the contents data_;_— Both both the contents data providing 
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apparatus and the contents data utilization apparatus have a 
distribution key generation master key to generate a contents 
data distribution key . The contents data distribution key is 
used for encryption processing of circulation contents data 
between the contents data providing apparatus and the contents 
data utilization apparatus^- The fehe contents data providing 
apparatus generates a rthe contents data distribution key based 

on the distribution key generation master key and a contents 

identifier^— The contents identifier which is an identifier of 
supplicd the contents data — a**d — execute's — encryption — processing 

or fehe contents data , and the contents data utilization 

apparatus generates a rthe contents data distribution key based 
on the distribution key generation master key and contents 
identif ier 7 — which — i~s — aft — identifier — of — supplied — contents — data 
and executes — decryption processing on the — contents — data . 
[0098] Furthermore, according to another embodiment of the 

data processing system of the present invention, the contents 

data providing apparatus ka-s a plurality e-f different 

distribution key generation master keys fee generate a 

plurality e£ different contents data distribution keys , 

generates a plurality of different contents data distribution 
keys based on athe plurality of different distribution key 
generation master keys and the contents identifier, executes 
encryption processing using the plurality of different 

contents data distribution keys generated and generates 

encryption contents data having e^ a plurality of types^— 
Thea-nd — the contents data utilization apparatus has at least 
one of distribution — key — generation — master — key — e-f — the plurality 
of different distribution key generation master keys owned — by 
th e — contents — data — providing — apparatus and makes decodable only 
encryption contents data formed by a distribution key 
generated using trhe — samc one of the different distribution key 
generation master key s that is the same as a thc distribution 
key generation master key owned by an th o own apparatus. 
[0099] Furthermore, according to another embodiment^ of the 

data processing system of — the present invention, further 

includes cach — o^ — said — plurality — e# — data — processing — apparatuses 
stores — a — same a contents key generation master key to generate 
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a contents key used for applicd — fee — cont e nts — data encryption 
processing— of data . The contents key generation master key is 
stored in each of the plurality of data processing apparatuses 

A f irst proccssing apparatus Ay which i-s- one of said fehe 

plurality of data processing apparatuses, stores the contents 
data in a storage medium. The contents data are encrypted by 

thear contents key generated based ©r the contents key 

generation — master — key and anfe&e apparatus identifier of the 
first one of the plurality of data processing 

apparatuses apparatus A ana a storage mcdium^ T different A 

second one of the plurality of data processing apparatuses 
apparatus — B generates the ar contents key based on the — sam e 
contents key generation master key and the apparatus 
identifier of the first one of the plurality of data 

processing apparatuses apparatus A and executes decryption 

processing on the encrypted contents data stored by — said — data 
pr oc ess ing apparatus A in the said storage mediu m based on said 
contents — key generated . 

[0100] Furthermore, according to another embodiment of the 

data processing system further includese ^ fehe present 

inv e ntion, fehe — plurality — ef — data — processing — apparatuses — ±-& 
configured — by — a host device having an authentication key 
generation master key and a slave device subject to 
authentication processing by the host device^- The slave 
device has the authentication key generation master key and a 
slave device identifier. The authentication key generation 
master key is used for authentication processing between the 
host device and said slave device, wherein befeh — fefee — host 
device — a**d — slave — device — have — aR — auth e ntication — key — generation 
master — applied — fee — authentication — processing — betw e en — fehe — host 

device afid slave device, the slave device generates an 

authentication key based on the authentication key generation 
master key and the slave device identif ier^- The slave device 
identifier which is the an identifier of the slave device and 

is stored storcs in a memory of -in the slave device^- and — the 

The host device generates thea ** authentication key based on 
the authentication key generation master key and the slave 
device identif ier^r The plurality of data processing 
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apparatuses are configured by the host device and the slave 
device which is the — identifier of the — slave device and executes 
authentication processing . 

[0101] Furthermore, a ninth aspect of the present invention 
is a data processing method that executes encryption 
processing includinge £ at least one of data encryption, data 
decryption, data verification, authentication processing and 
signature processing^- The data processing method includesi^g 
a — key generating — stop — e^— generating individual keys necessary 
fee — execute — feh-e — e ncryption — processing based on master keys — fee 

generate — fehe keys used — fe^ — fehe encryption — processing and 

identification data of an externally connected fe&e- apparatus or 

data subject to encryption processing^ a**3 &r encryption 

processing stop e£ — The method also includes executing 

encryption processing based on the individual keys^ fe&e key 

generated in the — key g e nerating stop . 

[0102] Furthermore, according to another embodiment of the 

data processing method of the present invention, encryption 

processing data — processing executed by — the data processing 

method is executed encryption processing on transfer data via a 
storage medium or communication medium^- %ke — key The step of 
generating the individual keys includes ^ sfe-ep — i-s — a distribution 
-key — generating — step — &f — executing encryption processing based 

on a distribution key generation master key MKdis 

g e nerating a distribution key Kdis used ief encryption 

processing — eS — transf e r — data and a data identifier, which — i-s- 
identif i cat ion — data — e£ — fehe — transfer — data, — and generating a 
distribution key Kdis of the transfer data^— The distribution 
key Kdis is used for encryption processing of the transfer 
data, and the data identifier includes identification data of 
the transfer data, e nd — fehe — encryption — processing — stop — is — a 
step — — executing The encryption processing step includes 
executing encryption processing on transfer data based on the 

distribution key Kdis generated if* fehe distribution key 

generating step . 

[0103] Furthermore, according to another embodiment of the 

data processing method of the present invention, the data 
encryption processing — executed — by — feke — data — processing — method 
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is authentication processing of the aft externally connected 
apparatus to and /from which data is transferred^- The step 
of th o — key generating — step — ±-s — an — authentication — key — generating 

stop e-f individual keys includes executing encryption 

processing and generating an authentication key Kake . 
Encryption processing is based on an authentication key 
generation master key MKake — §ef — generating — aft — authentication 

key Kak e fc-he externally conn e ct e d apparatus and an 

externally connected apparatus identifier^— The externally 

connected apparatus identifier includes which irs 

identification data of the externally connected apparatus^ 
and — generating — the — authentication — key — Kake — e£ — fche — externally 
connected apparatus , — The step of executing a **d — the encryption 
processing includes stcp — i-s — a — step — o# executing authentication 
processing of the externally connected apparatus based on the 
authentication key Kake — generated — if* — fc-he — authentication — key 
g e neration — s tep . 

[0104] Furthermore, according to another embodiment of the 

data processing method of the present invention, encryption 
data processing — executed — by — the — data — processing — apparatus is 

signature processing on the data.— The step of t^he key 

generating stcp said individual keys — i-s- includes — a — signature 

■key generating stop eS executing signature encryption 

processing based on a signature key generation master key 
MKdev and a data processing apparatus identifier, and 
generating a data processing apparatus signature key Kdev of a 
data processing apparatus. The signature key generation master 
key Mkdev is operable to generate^ e^ — generating — a the data 
processing apparatus signature key Kdev . The data processing 
apparatus identifier — of — the — data — processing — apparatus — and — a 
data — processing — apparatus — identifier, — which — is identification 
data of the data processing apparatus — a**d — generating — the — data 
processing — apparatus — signature — key — Kdev — ef — the — data — processing 
apparatus , and the encryption processing — step — is — a — step — e-# 
includes executing signature processing on the data based on 

the signature key Kdev generated 2rB the signature key 

generating — stop . 
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[0105] Furthermore, according to another embodiment of the 

data processing method of the present invention, the step 
of^ie — key generating -strep individual keys includes executing 
is encryption processing that — uscs using at least part of the 
data identification of the externally connected apparatus or 
the data subject to encryption processing as a message^ and 
applying applics the master keys as the encryption keys. 
[0106] Furthermore, according to another embodiment of the 

data processing method of the present invention, the 
encryption processing — is- encryption processing uses using a DES 
algorithm. 

[0107] Furthermore, a tenth aspect of the present invention 

is a — data — processing — method — if* — a data processing system 
comprising a contents data providing apparatus that supplies 
contents data and a contents data utilization apparatus. The 
contents data providing apparatus is operable to generate a 
contents data distribution key based on a distribution key 
generation master key and a contents identifier. The contents 
identifier is an identifier of contents data and the contents 
data providing apparatus is operable to execute encryption 
processing on the contents data. The a**d — a contents data 

utilization apparatus that utilizes the contents data^™ 

characterized — if* — that — trhe — contents — data — providing — apparatus 

generates a contents data distribution key based eft a 

distribution key generation master key §ef generating a 

contents — data — distribution — key — used — — encryption — processing 

en — contents — data — and — a — contents — identifier, which — is — tke 

identifier e£ the provided contents data and executes 

encryption — processing en the contents data, a n d the The 

contents data utilization apparatus is operable to generates 
thee contents data distribution key based on the distribution 
key generation master key and the e contents identifierT — which 
is — the — identifier — e# — the — provided — contents — data — a-ftd — executes 
decryption processing — on the — contents — d ata . 

[0108] Furthermore, according to another embodiment of the 

data processing system m cthod according to the present 

invention, the contents data providing apparatus hes a 

plurality of different distribution key generation master — keys 


- 30 - 


to generate a plurality different contents data 

distribution — k e ys -, generates a plurality of different contents 
data distribution keys based on a th e plurality of different 
distribution key generation master keys and the contents 
identifier, executes encryption processing using the plurality 
of different contents data distribution keys — generated^ and 
generates encryption contents data having e -f — a plurality of 
types^, Thea ftd — the contents data utilization apparatus has at 
least one of distribution — key — generation — master — key — e£ the 
plurality of different distribution key generation master keys^ 
owned — by — the — contents — data — providing — apparatus and decrypts 
only encryption contents data formed by a distribution key 
generated using the — same one of the different distribution key 
generation master key s that is the same as the a distribution 
key generation master key owned by an the own apparatus. 
[0109] Furthermore, an eleventh aspect of the present 

invention is a data processing method in a data processing 
syste m. The data processing method includes comprising a — step 
e£ — storing 7 — by — data — processing — apparatus — A~, — which — i-s — one — ef- 

the — plurality — e£ — data — processing — apparatuses, if* — a — storage 

medium contents data in a storage medium. The contents data 
are encrypted using a contents key — generated — based — or — a 
contents — key — generation — master — key and are stored by a data 
processing apparatus A. The contents key is generated based on 
a contents data generation master key tre — generate — a — contents 
key — used — fee — encryption — processing — ef — cont e nts — data — and an the 
apparatus identifier of the data processing apparatus A^t- a- 
step of The method also includes generating the same contents 
key — a-s — fehe — contents — key — by with a different — data processing 
apparatus B based on — the — same the contents key generation 
master key— as — t ha t — of the — data processing — apparatus — A and the 
apparatus identifier of the data processing apparatus A, and a 
stop — e^ — The method further includes decrypting the contents 
data stored in the storage medium using the contents key 
generated by said data processing apparatus B. 

[0110] Furthermore, a twelfth aspect of the present 

invention is a data processing method in a data processing 
system including a host device and a slave device subject to 
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authentication processing by said host device. The data 

processing method comprisesi-ng a — host — device, af*d — a — slave 

device — sub j ect — to authentication processing by the — host device, 
characterized in that — fc-he — slave device — generates generating an 
authentication key in the slave device based on an 

authentication key generation master key %e generate a** 

authentication — key — used — — authentication — processing — between 

the host device a**d slave device and a slave device 

identifier^— The authentication key is used for authentication 
processing between the host device and the slave device. The 
slave device identifier being which — ts — the an identifier of the 
slave device^ and — stores — trhe The method also includes storing 

the authentication key — generated in a memory in the said slave 

device, and the host de v ice g o n e rat e s qene rating the a** 

authentication key in the host device based on the 
authentication key generation master key and the slave device 
identifier — which — ±s — fehe — identifier — &£ — the — slave — device and 
execute s executing authentication processing. 

[0111] Furthermore, a thirteenth aspect of the present 

invention is a recording program — providing medium recorded 
with that — supplies a computer program for t^e — cxccutc executing 
encryption processing having certain actions to performe i at 
least one of data encryption, data decryption, data 
verification, authentication processing and signature 
processing on a computer system^- The actions^ — computer 

program compriseiftg a key generating stop e-# generating 

individual keys necessary to execut e — t-he — encryption processing 
based on the master keys tre — generate — trhe — key — us e d — &ehe — the 
encryption — processing and identification data — e£ — the — apparatus 
of — d-a-t-a — subj e ct — t-e — encryption — processing , and — aft — encryption 
processing — step — e£ executing encryption processing based on 
the individual keys generated in the key generating step . 
[0112] A fourteenth aspect of the present invention is a 
data processing apparatus that processes contents data 
supplied from a storage medium or communication medium^— 
characterized — by The apparatus comprises ing a storage section 
that stores data processing apparatus identifiers, a list 
verification section that extracts an illegal device list 
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included in the contents data and executes collation between 

entries e# fche in the illegal device list and the data 

processing apparatus identifiers stored in the storage section, 

and a control section that terminates stops executing 

processing of at least cither — one of reproduction of the 
contents data or processing of storage in a recording device 
when athe result of the collation processing — iR — fe&e — collation 
processing section shows that the illegal device list includes 
information that matches the data processing apparatus 
identifiers . 

[0113] According to another embodiment of the data 
processing apparatus of the present invention, the list 
verification section comprises an encryption processing 
section that executes encryption processing on the contents 
data^T — and the The encryption processing section verifies the 
presence or absence of tampering in the illegal device list 
based on check values of the illegal device list included in 
the contents data and executes the collation processing — only 
when the verification proves no tampering. 

[0114] Furthermore, another embodiment of the data 

processing apparatus of the present invention further 
comprises an illegal device list check value generation key^-r 
charactcrizGd — ifi — that The ^fe&e encryption processing section 
executes encryption processing by applying the illegal device 
list check value generation key to illegal device list 
configuration data to be verified, generates illegal "device 
list check values, executes collation between the illegal 
device list check values and — fefee illegal device list check 
values included in the contents data and thereby verifies the 
presence or absence of tampering in the illegal device list, 
[0115] Furthermore, according to another embodiment of the 

data processing apparatus of the present invention, the list 
verification section comprises an encryption processing 
section that executes encryption processing on the contents 
data™ The thc encryption processing section executes decryption 
processing of an tho encrypted illegal device list included in 
the contents data to produce a decrypted illegal device list, 
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and executes the collation processing on the decrypted illegal 
device list resulting from the decryption processing . 
Furthermore, according to another embodiment of the data 
processing apparatus of the present invention, the list 
verification section comprises an encryption processing 
section that executes mutual authentication processing with a 
recording device to / from which and from which contents, data is 
transferred^- The thc list verification section extracts the 
illegal device list included in the contents data and executes 
collation with the data processing apparatus identifiers 
stored in the storage section on condition that authentication 
with the recording device has been established through mutual 
authentication processing executed by the encryption 
processing section. 

[0116] A fifteenth aspect of the present invention is a 
data processing method that processes contents data supplied 
from a storage medium or communication medium^- The method 
comprising a — list — extracting — step — e£ — extracting an illegal 

device list included in the contents data, a collation 

processing step e# executing collation between entries 

included in the illegal device list extracted — if* — feke — list 
extracting — step and the data processing apparatus identifiers 
stored in a storage section in atke data processing apparatus, 
and 

[0117] a — st e p — e# — stopping execution of processing of at 
least either — one of reproduction of the contents data or 
processing of storage in the recording device when a^he- result 
of the collation — processing — i-R — the — collation — processing step 
shows that the illegal device list includes information that 
matches the data processing apparatus identifiers . 

[0118] Furthermore, according to another embodiment of the 

data processing method of the present invention, the data 
processing method further comprises — a — v e rification — stop — e# 
verifying the presence or absence of tampering in the illegal 
device list based on check values of the illegal device list 
included in the contents data, and tke — collation — processing 

step oxccutcs executing collation — processing only when the 

verif ying verif i cation step proves no tampering. 
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[0119] Furthermore, according to another embodiment of the 

data processing method of the present invention, the 

verif ying vorif i cat ion step includes compriocs a step e# 

executing encryption processing by applying an illegal device 
list check value generation key to illegal device list 
configuration data to be verified and generating illegal 
device list check values, and a — step — — executing collation 
between the illegal device list check values generated and the 
illegal device list check values included in the contents data 
and thereby verifying the presence or absence of tampering in 
the illegal device list. 

[0120] Furthermore, another embodiment of the data 

processing method of the present invention further comprises— a 
decrypting — stop — a# executing decrypting processing on an thc 
encrypted illegal device list included in the contents data to 
produce a decrypted illegal device list and executing the 
collation processing — st e p — executes — the — collation processing — e** 

on the decrypted illegal device list resulting from — the 

decrypting — step . 

[0121] Furthermore, another embodiment of the data 

processing method of the present invention further comprises a- 

mutual authentication processing step e^f — executing mutual 

authentication processing with a recording device to /from 
which and from which contents data is transferred^- eftd — the 

collation processing st e p executes Collation collation is 

perf ormed pro ceo sing on condition that authentication with the 
recording device has been established through mutual 

authentication processing executed by the mutual 

authentication processing step. 

[0122] A sixteenth aspect of the present invention is a 
contents data generation method comprising that 

gene rating gonc rates contents data — supplied from — a storage 

medium or communication medium to a plurality of recorders-/ or 
a plurality of reproducers.— The contents data are supplied 
from a storage medium or a communication medium. The method 
also includes storing charactcrizcd — ±n — that an illegal device 
list as the header information of the contents data. The 
illegal device list has whose component data 
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comprising compriscs identifiers of the plurality of recorders/ 
or the plurality of reproducers/ whereby the illegal device 
list which will be excluded from the use of the contents data 
is — stored as — the header information of the — contents — data . 
[0123] Furthermore, according to another embodiment of the 

contents data generation method of the present invention, the 
illegal device list check values for a tampering check of the 
illegal device list are also stored as the header information 
of the contents data. 

[0124] Furthermore, according to another embodiment of the 

contents data generation method of the present invention, the 
illegal device list is encrypted and stored in the header 
information of the contents data. 

[0125] Furthermore, a seventeenth aspect of the present 
invention is a recording program — supply medium — that — supplies 
recorded with a computer progra m that — allows — a computer — systom 
£e — execut e for processing of contents data supplied from a 

storage medium or a communication medium^" The computer 

program comprises characterized — ift — that — fc-he — comput e r — program 
comprises — a — list — extracting — step — ef- extracting an illegal 

device list included in the contents data, a collation 

processing step e£ executing collation between entries 

included in the illegal device list extracted — in — feke — list 
extracting — step and tke — data processing apparatus identifiers 
stored in a storage section in atrhe data processing apparatus, 

and a stop e£ stopping execution of processing of at 

least cithcr one of reproduction of the contents data or 
processing of storage in a recording device when a tho result 
of the collation — processing — ±-r — trhe — collation — processing step 
shows that the illegal device list includes information that 
matches the data processing identifiers. 

[0126] An eighteenth aspect of the present invention is a 
data processing apparatus that processes contents data 
supplied via a recording medium or a communication medium^— It 
comprises ing an encryption processing section that executes 
encryption processing on the contents data, a control section 
that executes control over the encryption processing section, 
a system common key used for encryption processing — if* — the 
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encryption — processing — section, J^which is common to othor a 
plurality of data processing apparatuses using the contents 
data]_, the plurality of data processing apparatuses including 
the data processing apparatus. The apparatus also includesa **d 
at least one of an apparatus-specific key 7 — which — i-s — specific 

the data processing apparatus used fe^ encryption 

processing — ifi — the — encryption — processing — section — en? — and an 
apparatus -specific identifier . The apparatus-specific key is 
specific to the data processing apparatus. The apparatus- 
specific identifier is used to generate the apparatus-specific 
key^T- characterized — if* — that — the The encryption processing 
section is configured to perform encryption processing by 
applying cither — one of the system common key ande^ the 
apparatus-specific key according to athe utilization mode of 
the contents data. 

[0127] Furthermore, in another embodiment of the data 

processing apparatus of the present invention, the encryption 
processing section executes encryption processing by applying 
either one of the system common key ando f the apparatus- 
specific key according to utilization restriction information 
included in the contents data. 

[0128] Furthermore, another embodiment of the data 

processing apparatus of the present invention further 
includes comprises a recording device for recording the 

contents data^ T characterized i-H that the encryption 

proc e ssing — section, When whcn the utilization mode restricts 

usage of imposcd with a utilization restriction that the 

contents data — should — be — u se d — only — fe-a? — the — ewft to the data 
processing apparatus, generates — data to be stored in the 
recording device is generated by executing encryption 
processing using the apparatus-specific kcy on for the contents 
data^- Where the utilization mode permits usage of a^d — ana — the 
case — where the contents data is — also — made — available — te — aft by 
at least one of the plurality of data processing apparatuses 
other than the ewfi — data processing apparatus, the data — fee — be 

stored — if* — the recording — device is generated by executing 

encryption processing using the system common key on the 
contents data. 
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[0129] Furthermore , — another Another embodiment of the data 

processing apparatus of the present invention further 
includes comprises a signature key Kdev — specific — fee — trhe — data 
processing — apparatus and a system signature key Ksys . The 
signature key Kdev is specific to the data processing 
apparatus and said system signature key Ksys is common to thee 

plurality of data processing apparatuses^ characterized — if* 

that trtve encryption — processing section, when — When the 

contents data is stored in a tho recording device , the contents 
data is restricted to use by — imposed — with — a — utilization 
restriction that the — contents — data — should be used only — for the 
ewft said data processing apparatus^- The encryption processing 
section generates an apparatus-specific check value through 
encryption processing by applying said trhe — apparatus — specific 
signature key Kdev to the contents data_^ When and, — when the 
contents data is stored in the recording device^ with — the 
contents data also is made available for use by at least one of 
the plurality of t-e — aft data processing apparatuses other than 
the ewft data processing apparatus^— The encryption processing 
section generates an overall check value through encryption 
processing by applying the system signature key Ksys to the 
contents data, and the control section performs control of 
storing the contents data in the recording device together 
with cithcr one of the apparatus-specific check value generated 
by — t-he — encryption — proc e ssing — section — e^and the overall check 
value together with the contents data in the — recording device . 
[0130] Furthermore, Yet another embodiment of the data 
processing apparatus of the present invention further 
includes comprises a signature key Kdev — specific — te — fc-he — data 
processing — apparatus and a system signature key Ksys . The 
signature key Kdev is specific to the data processing 
apparatus and the system signature key Ksys is common to the e 
plurality of data processing apparatuses —, characterized — i** 

that the encryption processing section, when When the 

utilization mode restricts usage of contents — data — imposed with 
a — utilization — restriction — that — the contents data should — be 
used — only — £ee — fehe — own — to the data processing apparatus , and 
the contents data is reproduced, the encryption processing 
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section generates an apparatus-specific check value by 
applying the — apparatus - specific signature key Kdev to the 
contents data and perf orms cxccutcs collation processing on the 
apparatus-specific check value^ generated — and, — when When the 
utilization mode permits usage of the contents data also — made 
available — to — a-nby at least one of the plurality of data 
processing apparatuses other than the ewR — data processing 
apparatus , and the contents data is reproduced, the encryption 
processing section generates an overall check value through 
encryption — processing — by applying the system signature key 
Ksys to the contents data and performs collation processing on 

the overall check value generated, ^ and t-he The control 

section generates reproducible decrypted data by continuing 
processing of the contents data by the encryption processing 
section only when collation processing on with the apparatus- 
specific check value is established or when the collation with 
processing on the overall check value is established. 

[0131] Furthermore, aAnother embodiment of the data 

processing apparatus of the present invention comprises 

further includes a recording data processing apparatus 

signature key master key MKdev and a data processing apparatus 
identifier IDdev 7 — . characterized — i-H — that — the The encryption 
processing section generates a signature key Kdev a-s — =the — data 

processing apparatus specific key through encryption 

processing based on the recording data processing apparatus 
signature key master key MKdev and the data processing 
apparatus identifier IDdev. 

[0132] Furthermore, in another embodiment of the data 

processing apparatus of the present invention, the encryption 
processing section generates the signature key Kdev through 
DES encryption processing by applying the recording data 
processing apparatus signature key master key MKdev to the 
data processing apparatus identifier IDdev. 

[0133] Furthermore, in yet another embodiment of the data 

processing apparatus of the present invention, the encryption 
processing section generates an intermediate integrity check 
value by executing encryption processing on the contents data^ 
The and — executes — encryption processing includes applying one 
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of the data processing apparatus apparatus - specific key or and 
the system common key on the intermediate integrity check 
value . 

[0134] Furthermore, in another embodiment of the data 

processing apparatus of the present invention, the encryption 
processing section generates a partial integrity check value 
through encryption processing on a partial data set containing 
at least one partial data item obtained by dividing the 
contents data into a plurality of parts and generates an the 
intermediate integrity check value through encryption 
processing on a partial integrity check value set data string 
containing the partial integrity check value generated . 
[0135] A nineteenth aspect of the present invention is a 

data processing method for a data processing apparatus that 
processes contents data supplied via a recording medium or a 
communication medium^ — characterized — by The method includes 
selecting — either — efte — e #, according to a utilization mode of 
the contents data, an encryption processing key from among an 
encryption processing system common key common — fee — other — data 

processing apparatuses using the contents data e^and an 

apparatus -specif ic keyT — The encryption processing system 
common key is common to a plurality of data processing 
apparatuses using the contents data. The plurality of data 
processing apparatuses includes the data processing apparatus. 
The apparatus-specific key which — is specific to the data 
processing apparatus according — te — the — utilization — mode — e-f — the 

contents data, ^ a**d The method also includes executing 

encryption processing by applying the selected — encryption 
processing key to the contents data. 

[0136] Furthermore, in another embodiment of the data 

processing method of the present invention— i-s — characterized in 
that_ g_ the step of encryption — processing — key — selecting the 
encryption processing key e^tep — ts — a — st e p — of 1 includes selecting 
the encryption processing key according to utilization 
restriction information contained in the contents data. 
[0137] Furthermore, another embodiment of the data 

processing method of the present invention 4rS — characterized — in 
that — t-he — processing — &•€ — storing — contents — data — in — t-he — recording 
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device, — wh e n — imposed — with — a — utilization — restriction — that — the 
contents — data — should be — used — only — #of — the — evm — data — processing 
apparatus , includes generates — generating data to be stored in 
the — a recording device by executing encryption processing 
applying — using the apparatus-specific key te — on the contents 
data when the utilization mode restricts usage of the contents 
data to the data processing apparatus. 7 — a**=l — if* — the — case — where 
the — contents — data — i-s — also made available — to an apparatus — other 
than the own data processing apparatus , This embodiment of the 
method also includes generating the data to be stored in the 

recording device 4rs generated by executing encryption 

processing using the encryption processing system common key 
on the contents data when the utilization mode permits usage 
of the contents data by at least one of the plurality of data 
processing apparatuses other than the data processing 
apparatus . 

[0138] Furthermore, another embodiment of the data 

processing method — the — present — invention — i-s — characterized — i-n 
that — when — the — contents — data — i-s — stored — if* — the — recording — device 
imposed — with — a — utilization — restriction — that — the — contents — data 
should be used only — for the — own data proc e ssing apparatus, — the 
processing — e-f — recording — contents — data — i-n — the — recording — device 
gene rates includes generating an apparatus-specific check value 
through encryption processing by applying the — an apparatus- 
specific signature key Kdev to the contents data and, when the 
contents data is restricted to use by the data processing 

apparatus and is stored in the recording device. This 

embodiment also includes when — the — contents — data — i-s — stored — if* 

the recording device with the contents data also made 

available — te — afi — apparatus — other — than — the — ewn — data — processing 
apparatus, — gene rates generating an overall check value through 
encryption processing by applying the — a system signature key 
Ksys to the contents dataT — a**d — cither — efie — e-f — the — apparatus - 
specific — check — value — generated — &e — the — overall — check — value — i-s- 
storcd together with the contents data in the recording device 
when the contents data is available for use by at least one of 
the plurality of data processing apparatuses other than the 
data processing apparatus and is stored in the recording 
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device The method also includes storing the contents data in 
the recording device together with one of the apparatus- 
specific check value and the overall check value. 
[0139] Furthermore, in another embodiment of the data 

processing method of the present invention^ — characterized in 
that^ _ when reproducing the contents data , the utilization mode 
restricts usage of imposed with a utilization restriction that 
the contents data should be — used — only — — trh-e — own by the data 

processing apparatus is reproduced, j_ The method further 

includes t rhe — contents — data — reproducing — processing — generates 
generating an apparatus-specific check value through 
encryption processing by applying ^tke — an apparatus- specific 
signature key Kdev to the contents data and executes 
performing collation processing on the apparatus-specific 
check value generated and,^ when When reproducing the contents 
data imposed with a — utilization — restriction — that — fc& e, wherein 
the utilization mode permits usage of the contents data is 
also — made — available — fee — a-eby at least one of the plurality of 
data processing apparatuses other than the own data processing 
apparatus — is — reproduced, . In this case, the method generates 
an overall check value through encryption processing by_ 
applying th e — a system signature key Ksys to the contents data 
and performs collation processing on the overall check value 
generated, ^_ ef*el — The contents data is reproduced only when 
collation processing on with — the apparatus-specific check 
value is established or when the collation with — processing on 
the overall check value is established. 

[0140] Furthermore, another embodiment of the data 

processing method of the present invention further comprises e 
step — of generating a signature key Kdev as — feke — data processing 
apparatus — specific — key 1 — through encryption processing based on 
a data processing apparatus signature key master key MKdev and 
the a data processing apparatus identifier IDdev. 
[0141] Furthermore, in another embodiment of the data 

processing method of the present invention — is — characterized — if* 
that ^ the signature key Kdev generating — step — is — a — step — e£ 

generating the signature key Kdev through includes DES 

encryption processing by applying the data processing 
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apparatus signature key master key MKdev to the data 
processing apparatus identifier IDdev. 

[0142] Furthermore, yet another embodiment of the data 

processing method of the present invention further comprises a: 
stop — &€ — generating an intermediate integrity check value by 
executing encryption processing on the contents data— 
characterized by executing ^ The encryption processing includes 
applying one of the data processing apparatus — apparatus- 
specific key or and the system common key to the intermediate 
integrity check value. 

[0143] Furthermore, another embodiment of the data 

processing method of the present invention i-s — characterized by 
further includes generating a partial integrity check value 
through encryption processing on a partial data set containing 
at least one partial data item obtained by dividing the 
contents data into a plurality of parts . This embodiment also 
includes a**d — generating — the intermediate integrity check 
value through encryption processing on a partial integrity 
check value set data string containing the partial integrity 
check value generated . 

[0144] A twentieth aspect of the present invention is a 

program — supply recording medium that — supplies recorded with a 
computer program for a data processing apparatus. The computer 
prog ram al lowing — a — computer — system — fee — execute — data — processing 
that processes contents data supplied via a recording medium 

or a communication medium 7 — . a ftd — fehe — The computer program 

comprises — feke — steps — ef — selecting , according to a utilization 
mode of the contents data, a key from among cither — an 
encryption processing key, an encryption processing system 
common key — common — fee — other — data — processing — apparatuses — using 
fe&e — contents — data e ^and an apparatus-specific key 7 — The 
encryption processing system common key is common to a 
plurality of data processing apparatuses using the contents 
data. The plurality of data processing apparatuses including 
the data processing apparatus. The apparatus-specific key 
which — is specific to the data processing apparatus — according 
fee — fehe — utilization — mode — e£ — fehe — contents — data, . The computer 
program also a**d — executing — executes encryption processing by 
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applying the selected encryption processing key to the 

contents data. 

[0145] A twenty first aspect of the present invention is a 
data processing apparatus that processes contents data 
supplied via a recording medium or a communication medium- 
comprising^ The data processing apparatus comprises an 

encryption processing section that executes encryption 
processing on the contents data, and a control section that 
executes control over the encryption processing section- 
characterized — in — that^ _trhe — The encryption processing section 
is configured to generate a contents check value in units of 
contents block data to be verified included in the contents 
data, and to execute collation on the contents check value 
generated and thereby execute verification processing on the 
validity of each of said units of contents block data — in — fene 
data . 

[0146] Furthermore, another embodiment of the data 

processing apparatus of the present invention comprises 
further includes a contents check value generation key — and 

characterized in that , wherein the encryption processing 

section generates a contents intermediate value based on the 
contents block data -te — be — verified — and generates a contents 
check value by executing — encryption — processing — applying the 
contents check value generation key to the contents 
intermediate value . 

[0147] Furthermore, in another embodiment of the data 

processing apparatus of the present invention — is — characterized 
in — that_ g_ when the contents block data — be — verified — is 
encrypted, the encryption processing section generates a — the 
contents intermediate value by executing predetermined 
operation processing on an entire decrypted statement in units 
of a predetermined number of bytes. The entire decrypted 
statement is obtained through by decryption processing of the 
contents block data — in — units — e-f — a — pred e termined — number — e# 
bytes , — and. wh e n When the contents block data ^te — be — verified 
is not encrypted, the encryption processing system generates a 
the contents intermediate value by executing predetermined 
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operation processing on the entire — contents block data in 
units of a — the predetermined number of bytes. 

[0148] Furthermore, in yet another embodiment of the data 

processing apparatus of the present invention — is — character i zed 
in that _^_ the predetermined operation processing applied in the 
intermediate — integrity — check — value — generation — processing — by 
feke — encryption processing — section is an exclusive-OR operation 
[0149] Furthermore, in another embodiment of the data 

processing apparatus of the present invention— is — characterized 
in — that ^ the encryption processing section has an encryption 

processing configuration in a CBC mode and the decryption 

processing applied fee fehe content intermediate value 

generation — processing — when — fehe contents block — data — fee — be 

verified is decryption processing in the CBC mode. 
[0150] Furthermore, in another embodiment of the data 

processing apparatus of the present invention— is — characterized 
in — that_ ^_ the encryption processing configuration in the CBC 
mode e^ — fehe — encryption — processing — section — is a configuration 
in which common key encryption processing is applied a 
plurality of times only to part of a message string — fee — be 
processed . 

[0151] Furthermore, in yet another embodiment of the data 

processing apparatus of the present invention — is — characterized 
if* — that _g_ when the contents block data contains a plurality of 
parts and som e a portion of the plurality of parts included in 
fehe — contents — block — data — a^eis to be verified, the encryption 
processing section generates a — the contents check value based 
on the parts — portion to be verified, and executes collation 
processing on the contents check value — generated — af*d — thereby 
executes — verification — processing — en — fehe — validity — in — units — ei 
content block data — in the — dat a . 

[0152] Furthermore, in an alternative anothor embodiment of 

the data processing apparatus of the present invention — is 
charactcrizcd in that_ ^_ when the contents — block data — contains — a 
plurality — &S — parts — and — ife — is — one — part — that — needs — fee — be 
verifi e d , — fehe portion is encrypted, the encryption processing 
section generates a — the contents check value by executing 
encryption — processing — applying the — a contents check value 
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generation key to a value obtained by carrying out an 
exclusive-OR in units of a predetermined number of bytes on 
the — an entire decrypted statement , which is obtained by 
decryption processing ef — parts — tre — be — verified — in — the — case 
where — the — parts — fee — be — verified — ±s — oncrypted the portion 7 — . eftd 
When the portion is not encrypted, the encryption processing 
section generates a — the contents check value by executing 

encryption processing applying the contents check value 

generation key to a — the value — obtained — by — carrying — eu-t — aft 
cxcluoivc - OR — ift — units — e-f — a — predetermin e d — number — e-f — bytes — eft 
the — entire — part — to be — verified — in — fch-e — case — where — t-he — parts — fee 
be verified is — not encrypted . 

[0153] Furthermore, another embodiment of the data 

processing apparatus of the present invention is characterized 
in that when the contents — block — data — contains — a — plurality — e£ 
parts — and it — is a portion of the plurality of parts that needs 
to be verified, the encryption processing section — uses , — as — a 

cont e nts check value, the result obtained by executing 

encryption processing applies a contents check value 

generation key to the portion of the plurality of parts to 
obtain a parts check value. The encryption processing section 
also applying — applies the contents check value generation key 
to link data of a — the parts check value to obtained — by 
executing encryption processing applying a result, and use the 
result as the contents check value generation key to each part 
[0154] Furthermore, in another embodiment of the data 

processing apparatus of the present invention — is — characterized 
ift — that _^ the encryption processing section further comprises a 
recording device for storing the contents data containing the 
units of contents block data whose validity has been verified. 
[0155] Furthermore, another embodiment of the data 

processing apparatus of the present invention is characterized 
in that_^_ when collation processing is not established — ift — the 
collation — proccssing executed on a — the contents check value — ±ft 
the — encryption — processing — s e ction , the control section stops 
the storage in the recording device. 

[0156] Furthermore, in yet another embodiment of the data 

processing apparatus of the present invention is — characterized 
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in=* — that — the encryption processing section further comprises a 
reproduction processing section for reproducing data whose 
validity has been verified. 

[0157] Furthermore, in another embodiment of the data 

processing apparatus of the present invention — i-s — characterized 
if* — that ^ when collation processing is not established — in — fe-he 
collation processing executed on a— the contents check value in 
t4*e — encryption — processing — section , the control section stops 
the reproduction processing — in the reproduction processing 
section . 

[0158] A twenty second aspect of the present invention is a 
data processing method that processes contents data supplied 

via a recording medium or a communication medium— 

characterized — b y. The method includes generating a contents 
check value in units of contents block data to — be — verified 
included in the contents data, and executing collation 
processing on the contents check value generated — and thereby 

executing executes verification processing e« as to the 

validity jr**— of the units of contents block data in the data . 
[0159] Furthermore, another embodiment of the data 

processing method of the present invention — i-s — characterized by 
generating — generates a contents intermediate value based on 
the contents block data — be — verified — , and generating 
generates a contents check value by executing encryption 
processing by applying the contents check value generation key 
to the contents intermediate value generated . 

[0160] Furthermore, in another embodiment of the data 

processing method of the present invention— i-s — characterized by 
generating , when the contents block data %e — be — verified — is 
encrypted, a contents intermediate value is generated by 
executing predetermined operation processing on an entire 
decrypted statement in units of a predetermined number of 
bytes. The entire decrypted statement is obtained through — by 
decryption processing of the contents block data in units of a 
pr e d e termined number of bytes, — and generating,^ when When the 
contents block data to — be — verified — is not encrypted, a — the 
contents intermediate value is generated by executing the 
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predetermined operation processing on the entire — contents 
block data in the units of a — the predetermined number of bytes. 
[0161] Furthermore, in another embodiment of the data 

processing method of the present invention — is — char act or i zed — if* 
that _^ the predetermined operation processing appli e d — in — fehe 
intermediate — integrity check value generation processing is an 
exclusive-OR operation . 

[0162] Furthermore, in yet another embodiment of the data 

processing method of the present invention — is — charact e rized — in 
t h at — irftj_ the — contents — intermediate value — gen e ration processing, 
the decryption processing applied — to — the — content — intermediate 
value — generation processing when — fehe — contents — block data — fee — be 
verified is encrypted is decryption processing in CBC mode. 
[0163] Furthermore, in another embodiment of the data 

processing method of the present invention— i-s — characterized in 
that — ^_in the step of decryption processing configuration — in 
the CBC mode, common key encryption processing is applied a 
plurality of times only to part of a message string — fee — be 
processed . 

[0164] Furthermore, in yet another embodiment of the data 

processing method of the present invention — i-s — characterized by 
generating , when the contents block data contains a plurality 
of parts and some a portion of the plurality of parts included 
in — fehe — contents — block — data — a^e — is to be verified, a — the 
contents check value is generated based on the parts — portion 

to be verified prior to executing the 7 executing collation 

processing on the contents check value — generated — and — thereby 
executing — verification — processing — en — feke — validity — in — units — e# 
content block data — in th e data . 

[0165] Furthermore, in another embodiment of the data 

processing method of the present invention i-s — characterized by_ ^_ 
when the portion is encrypted, the method includes performing 
decryption processing on the portion to obtain an entire 
decrypted statement, carrying out an exclusive-OR operation in 
units of a predetermined number of bytes on the entire 
decrypted statement, and generating when — fehe — contents — block 
data — contains — a — plurality — e£ — parts — and — ife — is — ene — part — that 
needs — fee — be — verified, — a the contents check value by executing 
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encryption — processing — applying the — a contents check value 
generation key to a value obtained by carrying — entrt — a-nthe 
exclusive-OR operation. When the portion is not encrypted, the 
method includes in units — of a predetermined number of bytes — ef* 

th e entire decrypted statement obtained fey decryption 

processing — of parts — to be verified in the — case where — the parts 
— be — verified — irS — encrypted, — a**d — generating a — the contents 
check value by executing — encryption — processing — applying the 
contents check value generation key to a— the value obtained by 

carrying — e*a-fe — a-n — cxclusivc - OR — i-n — units e£ — a — pred e t e rmined 

numb e r — of bytes — e-R — fe&e — entire — part — to bo — verified — i*i — the — case 
where the part to be verified is not encrypted . 

[0166] Furthermore, another embodiment of the data 

processing method of the present invent ion— -i-s — characteriz e d by 
using, — when — fc-he — contents — block — data — contains — a — plurality — e-f 
parts — and it — is a plurality of parts — that needs — to bo verified, 
a-s — a — contents — check — value > — the — result — obtained — by — executing 

encryption processing further applying th e contents check 

value — generation — key — te — link — data — oS — a — parts — check — value 

obtained by executing encryption process i ng applying fehe 

contents — chock — value — generation — key — fee — each — part includes: 
applying a contents check value generation key to each of the 
plurality of parts to obtain a parts check value; further 
applying the contents check value generation key to link data 
of the parts check value to obtain a result; and using the 
result as the contents check value . 

[0167] Furthermore, another embodiment of the data 

processing method of the present invention further comprises — a 
st e p — — includes storing the contents data containing said 
units of contents block data whose validity has been verified. 

[0168] Furthermore, yet another embodiment of the data 

processing method of the present invention -i-s — characterized — i-n 
tte fefurther includes stopping the storing of the contents data 

when the collation processing is not established if* fcke 

collation — processing — executed on a — the contents check value r 
the control section stops storage in the recording device . 

[0169] Furthermore, another embodiment of the data 

processing method of the present invention further comprises — a 
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stop e-# includes reproducing data whose validity has been 

verified . 

[0170] Furthermore, another embodiment of the data 

processing method of the present invention i-s — characterized by 
further includes stopping the reproduction processing when the 

collation processing is not established executed -ana feke 

collation processing on a — the contents check value. 
[0171] A twenty third aspect of the present invention is a 
contents data verification value assignment method for 
contents data verification processing 7 — characterized — by . The 
method includes first generating a contents check value in 
units of contents block data fee — be — verified — The contents 
block data are included in the contents data 7 — The method 
also includes assigning the contents check value gen e rated — to 
the contents data — containing — t-he — contents — block — data — te — be 
verified . 

[0172] Furthermore, in another embodiment of the contents 

data verification value assignment method of the present 
invention — irs — characterized — if* — that_ ^_ the contents check value 
is generated through encryption processing by applying fehe — a 
contents check value generation key using the contents block 
data to be — checked as a message. 

[0173] Furthermore, in yet another embodiment of the 

contents data verification value assignment method of the 
present invention — i-s — characterized — ift — that ^_ the contents check 
value is generated by generating a contents intermediate value 
based on the contents block data te — be — verified and executing 
encryption — processing — applying fe**e — a contents check value 
generation key to the contents intermediate value. 
[0174] Furthermore, in another embodiment of the contents 

data verification value assignment method of the present 
invention — i-s — characterized — ifi — that^ the contents check value 
is generated by executing encryption processing on the 

contents block data in a CBC mode — en — fefee — contents — block — data 

to be verified . 

[0175] Furthermore, in yet another embodiment of the 

contents data verification value assignment method of the 
present invention — is — characterized — if* — that_ ^ the encryption 
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processing — configuration — in — CBC mode is a configuration in 
which common key encryption processing is applied a plurality 
of times only to part of a message string to be processed . 
[0176] Furthermore, in another embodiment of the contents 

data verification value assignment method of the present 
invention — is — characterized — by — generating , when the contents 
block data contains a plurality of parts and some — parts 

- included — i« — t-he contents — block — data — a^ea portion of the 

plurality of parts is to be verified, the method further 
comprises generating the e- contents check value based on the 
parts — te — be — vcrif ied port ion and assigning the contents check 
value generated — to the contents data — containing — fc-he — content 
block data to be verified . 

[0177] Furthermore, another embodiment of the contents data 

verification value assignment method of the present invention 
is — characteriz e d — by — generating, further includes, when the 
portion is encrypted: performing decryption processing of the 
portion to obtain an entire decrypted statement; carrying out 
an exclusive-OR operation in units of a predetermined number 
of bytes on the entire decrypted statement to obtain a value; 
and generating the contents check value by applying a contents 
check value generation key to the value. When the portion is 
not encrypted, the method further includes generating the 
contents check value by applying the contents check value 
generation key to the value — wh e n — the — contents — block — data 
contains a plurality of parts and it is one part that needs to 
be — verified, — a — contents — chock — value — by — executing — encryption 
processing applying the — cont e nts — chock value — generation — key to 
a value — obtained by — carrying — eat — aft — exclusive — OR — in units — ef — a 

pred e t e rmined number ef bytes en the entire decrypted 

statement — obtained — by — decryption — processing — &€ — parts — te — be 

verified — if* — the — case — where — the — parts to — be — verified — is 

encrypted, generating — a — contents — chock — value — by — executing 

encryption processing applying the contents check value 

generation key te a value obtained by carrying eat aft 

exclusive - OR — in — units — e-f — a — predetermined — number — e£ — bytes — en 
the entire part — to be — verified in the — case where — the parts — te 
be — verified — is — net — encrypted — a-nd — assigning — the — contents — ch o ck 
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value — generated — fee — fehe — contents — data — containing — fehe — contents 
block data to be verified . 

[0178] Furthermore, — Yet another embodiment of the contents 
data verification value assignment method of the present 
invention— is — characterized by using further includes: applying 
a contents check value generation key to each of the plurality 
of parts to obtain a parts check value; further applying the 
contents check value generation key to link data of the parts 
check value to obtain a result; and using the result as the 
contents check value 7 — when — fehe — contents — block — data — contains — a 
plurality — e£ — parts — a-R-d — ife — ±-s — a — plurality — e-f — parts — that — needs 
to b e — verified, — as — a — contents — check value, — feh-e — result — obtained 

by executing encryption processing further applying the 

contents — chock — value — generation — key — fee — link — data — &€ — a — parts 

check value obtained by executing encryption processing 

applying — fehe — contents — check value — generation — key — fee — each — part 
and — assigning — fehe — cont e nts — check — value — generated — fee — contents 
data containing the contents block data to be verified . 
[0179] A twenty fourth aspect of the present invention is a 
program — supply recording medium that — supplies recorded with a 
computer program fee — execute for executing data processing on 
contents data supplied via a recording medium or a 
communication medium 7 — with t The computer program comprising 
comprises a — st e p — of generating a contents check value in units 
of contents block data to be verified included in the contents 
data, and a — stop — e^ — executing collation processing on the 

contents check value generated thereby executing 

verification processing on as to the validity in of the units 
of contents block data in the data . 

[0180] A twenty fifth aspect of the present invention is a 

data processing apparatus for executing processing #e^ 

generating storing data with respect to a recording device for 
recording e^— content dataT — The content data includes which 
ha-s — a plurality of content blocks in which — afe — least — a — part — e# 
the blocks arc encrypted and a header section . At least a part 
of the plurality of content blocks is encrypted. The header 
section is operable to storing — store information on the 
contents blocks 7 — which — i-s — characterized — if* — that . The content 
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data is structured by encryption key data Kciis [Kcon] stored in 
the header section. The encryption key data Kdis [Kcon] is 
formed by applying an encryption key Kdis to an encryption key 
Kcon . 

ift — t-he — case — in — which — content — data — fee — fee — an — obj oct — e-§ 

storage — tn — the — recording — device — i-s — structured — by — data — stored 

i-ft feh-e header section, which is an encryption key data 

Kdis [Kcon] — that is — an encryption key Kcon of the content block 

applied encryption processing by an encryption key Kdis, 

[0181] fe&e — The data processing apparatus tes — comprises a 

structure means for executing processing taking 

w feremoving the encryption key data Kdis [Kcon] from the header 
section ; means for and executing decryption processing on the 
encryption key data Kdis [Kcon] to generate decryption data 

Kcon 7 ; means for generating a — new encryption key data 

KstrfKcon] that — i-s — by applied — applying encryption — processing 
by an encryption key Kstr to the decryption data Kcon; means 
for and storing the new encryption key data KstrfKcon] in the 
header section of the — content data, _^ and means for applying a 
different encryption key Kstr to the generated decryption data 
Kcon to execute encryption processing. 

[0182] A twenty sixth aspect of the present invention is a 

data processing apparatus #ene executing processing for 

generating storing data with respect to a recording device 
for recording content data 7 — The content data includes which 
tes — a plurality of content blocks in which — afe — least — a — part — e# 
the blocks arc encrypted and a header section . At least a part 
of the plurality of content blocks is encrypted. The header 
section is operable to storing — store information on the 
contents blocksT — The plurality of content blocks .is composed 
of contents encrypted by an encryption key Kblc and encryption 
key data Kcon[Kblc]. The encryption key data Kcon[Kblc] is 
formed by applying an encryption key Kcon to the encryption 
key Kblc. The plurality of content blocks have a structure in 
which encryption key data Kdis [Kcon] is stored in the header 
section. The encryption key data Kdis [Kcon] is formed by 
applying an encryption key Kdis to the encryption key Kcon. 
The data processing apparatus comprises: which is- 
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characterized — if* — that : — if* — the — case — w 
included — ifi — content — data — fee — be — a-n- 

i — which — fehe — content — block 
ob j cct — e£ — storage — with 


-s composed — e£ contents 

respect fee fehe recording device i 

and — encryption — key — data 

encrypted — by — an — encryption — key — Kblc 

encryption — key — Kcon, — and 

Kcon [Kblc] — that — is — encrypted — by — the 

^ - -i — . v ^ ^ r^^^v, i 4-v^^+- 


i-s — the encryption key Kcon applied encryption processing by an 
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for — executing — processing 

processing — apparatus — ha-s — a — structure 
for — taking — eat — means for removing 

the encryption key data 


Kdis[Kcon] from the header section^ a-nd — means for executing 
decryption processing on the encryption key data Kdis [Kcon] to 
generate decryption data Kcon 7 — ; means for generating an new 

encryption key data Kstr [Kcon] that — i-s applied by applying 

encryption processing by an encryption key Kstr to the 

decryption data Kcon; and m eans for storing the new encryption 
key data Kstr [Kcon] in the header section of the content 
dataT — ; and means for applying a different encryption key Kstr 

to the generated decryption data Kcon to execute the 

encryption processing . 

[0183] In addition, a twenty seventh aspect of the present 

invention is a data processing apparatus -f-er executing 

processing — for generating storing data with respect to a 
recording — device e£ — for recording content dataT — The content 
data includes which has a plurality of content blocks in which 
afe — least — a — part — e-f — fehe — blocks — are — encrypted — and a header 
section . At least a part of the plurality of content blocks is 
encrypted. The header section is operable to storing — store 
information on the contents blocksT — The plurality of content 
blocks are composed of contents encrypted by an encryption key 
Kblc and encryption key data Kdis [Kblc] . The encyrption key 
data Kdis [Kblc] is formed by applying an encryption key Kdis 
to the encryption key Kblc. The data processing apparatus 

comprises characterized — in — that : -in — th e case in — which — fehe 

content — block — included — in — content — data — fee — be — aft — object — e# 
storage — with — respect — fee — fehe — recording — device — i-s — composed — ef- 
contents — encrypted — by — an — e ncryption — key — Kblc — and — encryption 
•key — data — Kdis [Kblc] — that — is — encrypted — by — the — encryption — key 
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Kdis, — fc&e — data — processing — apparatus — hes — a — structure — #e ^means 
for removing cxecuting proccosing — for taking — eet* the encryption 
key data Kdis [Kblc] from the — a content block section^ and 
means for executing decryption processing of the encryption 
key data Kdis[ Kblc] to generate decryption data Kbl 07 — ; means 
for generating an — encryption key data Kstr[Kblc] that — i-s- 
applied — encryption — processing — by applying an encryption key 
Kstr aftd — to the decryption data Kblc; means for storing the 

encryption key data Kstr [Kblc] in a the contents block 

section 7 — ; and means for applying a different encryption key 
Kstr to the generated — decryption data Kblc to execute the 
encryption processing . 

[0184] if* — addition, — aA twenty eighth aspect of the present 
invention is a content data generating method for generating 

content dataT which — The method comprises: coupling a 

plurality of content blocks composed — — data — including at 
least e^y — one of voice information, image information and 
program data; applying encryption processing to at least a 
part of the content blocks included — — the — plurality — &€ 
cont e nt — blocks — b yusing an encryption key .Kcon; generating 
encryption key data Kdis [Kcon] that is — the — encryption key Kcon 
applied — encryption — processing — by — an — encryption — key — Kdis by 
applying an encryption key Kdis to the encryption key Kcon; 
and storing the encryption key Kdis in a header section of the 
content data; and generating the content data including the 
plurality of content blocks and the header section. 
[0185] In addition, an embodiment of the content data 

generating method of the present invention — i-s — characterized by 
further comprising — includes processing — — generating block 
information that storing — stores information — including at least 
one of identification information of on the content data, data 
length — of — content — data, — usage policy information including a 
data types — length of the content data and a data type of the 

content data , a data length of at least one of the content 

blocks^ and a presence or absence of encryption processing 7 — ^_ 

and — The method also includes storing the — block information in 
the header section. 


- 55 - 


[0186] In addition, — aft — another embodiment of the content 

data generating method of the present invention is 

characterized — ift — that the — content — data — generating — method 

comprises processing f-en? the method further includes 

generating a part check value based on a part — portion of 
information composing the header section^ and storing the part 
check value in the header section, aftd — further — generating a 
total check value based on the part check value and storing 
the total check value in the header section. 

[0187] In addition, an yet another embodiment of the 

content data generating method of the present invention is 
charactcrizcd — ift — that^ the steps of generation — generating 

processing ef the part check value and the generation 

generating processing of the total check value are executed by 
applies — applying a-ftd — executes — a DES encryption processing 
algorithm with — using data to be aft — object — — checked as a 
message and using a check value generating key as an 
encryption key. 

[0188] In addition, an embodiment of the content data 
generating method of the present invention is — characterized in 

that the content data generating — method — further includes 

applies applying encryption processing to the block 

information by applying the encryption key Kdis to an the 
encryption key Kbit, and stores — storing the encryption key 
data Kdis [Kbit] that — is — fehe — encryption — key — Kbit — generated — by 
the encryption key Kdis in the header section. 

[0189] In addition, aft — in another embodiment of the content 

data generating method of the present invention is 

characterized in that , each block of the plurality of content 
blocks ±a — t4*e — content — block — is generated as a common fixed 
data length. 

[0190] In addition, in yet aft — another embodiment of the 

content data generating method of the present invention — is 
characterized in that _^ each block' of the plurality of content 
blocks in the — content — block is generated with a — structure — if* 
which an encryption data section and a non-encryption section 
arc arranged regularly . 
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[0191] A twenty ninth aspect of the present invention is 
trhe — a content data generating method for generating content 
data which — comprises : j_ The method includes first coupling a 
plurality of content blocks each including at least any one of 
voice information, image information and program data-? — The 

method then composing composes at least a part of the 

plurality of content blocks by an encryption data — section that 
is data including at least any one of voice information, — image 
information and program data applying an encryption key Kcon to 
by— an encryption key Kblc-? — and to obtain a — se45 — e#— encryption 
key data Kcon[Kblc] — that — is — the — encryption — key — Kblc — of — the 
encryption — data — section — appli e d — encryption — processing — by — aft 

encryption key Kcon; _. The method generating generates 

encryption key data Kdis[Kcon] that i-s — t-h eby applying an 

encryption key Kdis to the encryption key Kcon applied 

encryption — processing — by — a-R — encryption — key — Kdis . The method 
— storing — stores 4Ae — generated — the encryption key data 
Kdis [Kcon] in a header of the content data-? — The method also 
aftd — generating — generates the content data including a — the 
plurality of content blocks and a^ -the header section. 

[0192] A thirtieth aspect of the present invention is the a 
content data generating method for generating content data^ 
which — The method comprises: coupling a plurality of content 
blocks each including at least any one of voice information, 
image information and program data; composing at least a part 
of the plurality of content .blocks by aft — encryption — data 
scction applying an encryption key Kdis to an encryption key 
Kblc to obtain encryption key data Kdis [Kblc] — that — i-s — data 
including — a-fe — least — one — e£ — voice — information, — image — information 

and — program — d at a — by — an — encryption — key* — Kblc, and — a — set — e# 

encryption key data Kdis [Kblc] — that is the encryption key Kblc 
ef — the — encryption — data — section — applied — encryption — processing 
by — aft — encryption — key — Kdis ; and generating the content data 
including a — the plurality of content blocks and a header 
section of the content data . 

[0193] A thirty first aspect of the present invention is a 
data processing method #e3? — executing — processing — for storing 
content data in a recording device . The content data having 
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has a plurality of content blocks ift — which — a-fe — least — a — part — e# 
blocks — a-fe — encrypted, — and a header section. At least a part of 
the plurality of content blocks are encrypted. The header 
section is operable to store irft — which — information on the 
plurality of content blocks — i-s — stored, ^_ The content data is 
structured by encryption key data Kdis[Kcon] stored in the 
header section. The encryption key data Kdis [Kcon] is formed 
by applying an encryption key Kdis to an encryption key Kcon. 
which The method comprises: 4rR — the — case — in which — content — data 

te be aft object e-£ storage ±ft — the recording device is 

structured — by — data — stored — in — the — header — section, — which — i-s — aft 
encryption — key data — Kdis [Kcon] — that — is — aft — encryption — key Kcon 

e£ — the content — block — applied — encryption — processing — by — aft 

encryption — key 1 — Kdis , taking — ee feremoving the encryption key 

data Kdis [Kcon] from the header section^ a-nd executing 

decryption processing on the encryption key data Kdis [Kcon] to 
generate decryption data Kcon; generating a new encryption key 
data Kstr [Kcon] that — i-s — applied — encryption — processing — by — aft 
encryption — key — Kstr — by applying a — dif f crcnt an encryption key 

Kstr to the generated decryption data Kcon fee execute 

encryption processing ; and storing the generated new 

encryption key data Kstr [Kcon] in a— the header section of — the 
c on t ent — data, j_ and storing the header section in the recording 
device together with the plurality of content blocks. 
[0194] A thirty second aspect of the present invention is a 

data processing method for — executing — processing — for storing 
content data in a recording device . The content data having 
has a plurality of content blocks ift — which — at — least — a — part — e# 
blocks — are encrypted, — and a header section. At least a part of 
the plurality of content blocks are encrypted. The header 
section is operable to store ift — which information on the 
plurality of content blocks — i-s — stored, . The plurality of 
content blocks are composed of contents encrypted by an 
encryption key Kblc and encryption key data Kcon[Kblc]. The 
encryption key data Kcon[Kblc] is formed by applying an 
encryption key Kcon to the encryption key Kblc. The plurality 
of content blocks has a structure in which encryption key data 
Kdis [Kcon] is stored in the header section. The encryption key 
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data Kdis[Kcon] is formed by applying an encryption key Kdis 
to the encryption key Kcon . which The method comprises: in the 
cqgc — in which the — content block included in content data to bo 
aR — object — e£ — storage — with — respect — fee — the — recording — device — is- 
compoocd — e-£ — contents — encrypted — by — aft — encryption — key — Kblc — aftd 

encryption key — data Kcon [Kblc] that is encrypted — by the 

encryption — key — Kcon, — a-ftd — has — a — structure — ift — which — encryption 
4eey — data — Kdis [Kcon] — that — is — the — encryption — key — Kcon — applied 
encryption — processing — by — aft — encryption — key — Kdis — is — stored — ift 
the header — section, — taking out removing the encryption key data 
Kdis [Kcon] from the header section^ and executing decryption 
processing on the encryption key data Kdis [Kcon] to generate 
decryption data Kcon; generating a — new encryption key data 

Kstr[Kcon] that is applied encryption processing by aft 

encryption — key — Kstr — by applying a — dif f crcnt an encryption key 

Kstr to the generated decryption data Kcon fee execute 

decryption processing ; and storing the new gencrated encryption 
key data Kstr [Kcon] in a — the header section — ef — fehe — content 
data, £ and storing the header section in the recording device 
together with the plurality of content blocks. 

[0195] A thirty third aspect of the present invention is a 

data processing method #e^ — ex e cuting — processing — for storing 
content data in a recording device . The content data having 
have a plurality of content blocks in which at — least a part — e# 
blocks are encrypted, — and a header section. At least a part of 
the plurality of content blocks are encrypted. The header 
section is operable to store ift — which information on the 
plurality of content blocks — is — stored, j_ The plurality of 
content blocks are composed of contents encrypted by an 
encryption key Kblc and encryption key data Kdis [Kblc]. The 
encryption key data Kdis [Kblc] is formed by applying an 
encryption key Kdis to the encryption key Kblc. which — The 
method comprises: ift — fehe — case — ift — which — fehe — content — block 
included — ift — content — data — fee — be — an — obj e ct — ef- — storage — with 

respect fee fehe recording — device is composed — e-f contents 

encrypted — by — aft — encryption — key — Kblc — and — encryption — key — data 

Kdis [Kblc] that — is — encrypted — by — fehe — encryption — key — Kdis, 

taking — eu feremoving the encryption key data Kdis [Kblc] from feke 
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a content block section — aftd£ executing decryption processing 
of the encryption key data Kdis [ Kblc] to generate decryption 
data Kblc; generating an encryption key data Kstr [Kblc] that 
4rS — applied — encryption — processing — by — aft — encryption — key — Kstr — by 
applying a — dif f crcnt an encryption key Kstr to the generated 
decryption data Kblc — fee — execute — decryption — processing ; aftd 
storing the generated encryption key data Kstr [Kblc] in a— the 
content block section 7 — ; and storing the content block section 
in the recording device together with the plurality of content 
blocks . 

[0196] A thirty fourth aspect of the present invention is a 
program providing recording medium for providing recorded with a 

computer program causing generation processing e# f or 

generating storing data with respect to a recording device e# 

for recording content data 7 _. The content data which 

has includes a plurality of content blocks i-n — which — afe — least — a 
part — of — fehe — blocks — a^e — encrypted — and a header section . At 
least a part of the plurality of content blocks are encrypted 

and the header section is operable to storing store 

information on the contents blocks 7 — The content data is 
structured by encryption key data Kdis[Kcon] stored in the 
header section. The encryption key data Kdis[Kcon] is formed 
by applying an encryption key Kdis to an encryption key Kcon. 
to be — executed on a — computer — system, — which — i-s — characterized in 
that : — feThe computer program comprises: 4rR — fehe — case — in — which 
content — data — t-e — be — aft — object — — storage — i-n — fe&e — recording 
device — i-s — structured — by — data — stored — ift — fehe — header — section, 

which i-s aft encryption key data Kdis [Kcon] that i-s aft 

encryption — key — Kcon — e# — fehe — content — block — applied — encryption 

processing by aft encryption key — Kdis , a step ef taking 

e ^removing the encryption key data Kdis [Kcon] from the header 
section andj _ executing decryption processing on the encryption 
key data Kdis [Kcon] to generate decryption data Kcon; 

generating a — new encryption key data Kstr [Kcon] that 

applicd — encryption — processing — by — aft — encryption — key — Kstr — by 
applying a — dif f crcnt an encryption key Kstr to the generated 
decryption data Kcon — fee — execute — decryption — processing ; and 
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storing the generated new encryption key data Kstr[Kcon] in a 
the header section of the — cont e nt data . 

[0197] A thirty fifth aspect of the present invention is a 

data processing apparatus for performing reproduction 

processing ^reproducing content data_. The content data 

includes compressed contents and an expansion processing 
program of the compressed contents, and is provided by a 

storage medium or a communication medium 7 which i-s- 

charactcrizcd fey-j The data processing apparatus 

comprising includes- f a content data analyzing section for 
executing content data analysis of the contcnt — data — including 
compressed contents and an the expansion processing program of 
the compressed contents . The content data analyzing section is 
operable to 7 — a nd — executing extraction process ing ex tract of the 
compressed contents and the expansion processing program from 

the content data-? The apparatus also includes a-nd — an 

expansion processing section for executing expansion 
processing of the content data — included — ±n — the — content — data 
using an expansion processing program — included — i-R — the — content 
data — obtained as — a — result of the analysis — of the — content data 
analyzing section . 

[0198] In addition, in one embodiment of the data 

processing apparatus of the present invention, the data 

processing apparatus i^s characterized by further 

comprising includes- H a data storing section for storing the 
compressed contents — that — a-re — extract e d — by — the — content — data 
analyzing — section; ^ and a program storing section for storing 
the expansion processing progra m extracted by — the — content — data 
analyzing section, — and characterized in that the The expansion 
processing section has a configuration for executing the 
expansion processing with respect to the compressed contents 
stored — if* — the — data — storing — section — by applying the expansion 
processing program stored — ±-r — fe-h-e — program — storing — section — to 
the compressed contents. 

[0199] In addition, in one embodiment of the data 

processing apparatus of the present invention, ^fehe data 

processing — apparatus — i-s — characterized — ±n — that — the contents 
data analyzing section has a configuration for obtaining a 
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configuration information of the content data based on header 
information included in the content data_^ and the content data 
analyzing section is operable to performirft€f analysis of the 
content data. 

[0200] In addition, in one embodiment of the data 

processing apparatus of the present invention, the data 

processing — apparatus ±-s — char act or i zed — if* — that — reproduction 

priority information of the compressed contents is included in 
the header information — Qnd,^ if If there are a plurality of 
compressed contents that — i~s — ob j ccts — of expansion processing in 
the — expansion — processing — section , the expansion processing 
section has a configuration for sequentially executing content 
expansion processing in accordance with the — priority — based — e** 

the reproduction priority information i-n the header 

information obtained in the content data analyzing section . 
[0201] In addition, in one embodiment of the data 

processing apparatus of the present invention, the data 

processing apparatus 4rS characterized by further 

comprising includes -r- displaying means for displaying 
information of the compressed contents — that — a-^e — ob j ccts — e# 

expansion processing; and inputting means for inputting 

reproduction contents identification data selected from the 
content — information displayed on the displaying means 7 — . a-nd 
characterized in that t The expansion processing section has a 
configuration for executing expansion processing of the 
compressed contents corresponding to the identification — data 

based en the reproduction contents identification data 

inputted from the — inputting means . 

[0202] In addition, a thirty sixth aspect of the present 

invention is a data processing apparatus for performing 

reproduction processing e #reproducing content data_. The 

content data includes one of compressed contents and an 
expansion processing program. The content data is provided by 

a storage medium or a communication mediuirv? which i-s 

characterized by comprising:^ The apparatus includes a content 
data analyzing section for receiving the content data 
including — either — compressed — contents — or expansion — processing 
program, . The content data analyzing section is operable to 
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distinguishing whether the content data h^s — fc-h- eincludes the 
compressed contents or the expansion processing program from 
header information included in the received content data — and, 
— — game — time, j_ __i-f — If the content data ha-s — includes the 
compressed contents, the content data analyzing section is 
operable to analyze obtaining a type of a compressing 
processing program applied to the compressed contents from the 
header information of the — content data, — aft€L_ if If the content 

data ha^s includes the expansion processing program, the 

content data analyzing section is operable to analyze obtaining 
a type of trhe — expansion processing program from the header 
information of the — content data; ■ The apparatus also includes 
an expansion processing section for executing expansion 
processing of the compressed contents 7 — characterized — in — that _-_ 
the — The expansion processing section has a configuration for 

selecting a** a specific expansion processing program 

applicable to the type of the — compression processing program 

e-f the compressed contents analyzed by the content data 

analyzing section based on the type of t&e expansion 

processing program — analyzed — by — the content — data — analyzing 

section , and being operable to executing execute the expansion 
processing by using the selected specific expansion processing 
program . 

[0203] In addition, in one embodiment of the data 

processing apparatus of the present invention, the data 

processing apparatus is characterized by further 

comprising includes- s- a data storing section for storing the 
compressed contents — that — a^e cxtracted analyzed by the content 
data analyzing section-; — , and a program storing section for 
storing the specific expansion processing program extracted by 
the — content — data — analyzing — section, — and — characterized — in — that_ ^_ 
wherein the expansion processing section has a configuration 
for executing the expansion processing with — respect — fee — the 
compressed — contents — stored — in — the — data — storing — section — by 
applying the specific expansion processing program stored — in 
the program storing — section to the compressed contents. 
[0204] In addition, in one embodiment of the data 

processing apparatus of the present invention, the data 
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processing apparatus is — charactcrizcd f urther includes in — that 

reproduction priority information af associated with the 

compressed contents . The reproduction priority information is 
included in the header information — and,^ — If there are a 
plurality of compressed contents — that — is — ob j ccts — e# — e xpansion 
processing/ — content / the expansion processing in the — expansion 

processing section has a configuration for sequentially 

executing content — the expansion processing in accordance with 
the priority based — or — t&e — reproduction priority information — i** 
the — header — information — obtained — in — the — content — data — analyzing 
section . 

[0205] In addition, in one embodiment of the data 

processing apparatus of the present invention, the data 
processing apparatus is — characterized — fey — further comprising 
includes retrieving means for retrieving en — the specific 
expansion processing program— and characterized — if* — that — fcke 

retrieving means h€ts a configuration retrieving aft 

expansion — processing — program — applicable fee — a — type ef — the 

compression — processing — program — e-f thre compressed — contents 

analyzed — fey — the — content — data — analyzing — section — with — program 
storing means accessible by the data processing apparatus as 
an object of retrieval. 

[0206] In addition, in one embodiment of the data 

processing apparatus of the present invention, the data 

processing apparatus is characterized fey further 

comprising : includes displaying means for displaying 
information of the compressed contents — that — a^r-e — ob j ccts — ei 

expansion processing; and inputting means for inputting 

reproduction contents identification data selected from the 
content — information displayed on the displaying means, a-nd 
characterized — in — that wherein the expansion processing section 
has a configuration for executing the expansion processing of 
the compressed contents corresponding to the identification 
data based on the reproduction contents identification data 
inputted from the — inputting moans . 

[0207] In addition, a thirty seventh aspect of the present 
invention is a data processing method for performing 
reproduction processing e ^reproducing content data_. The 
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content data includes compressed contents and an expansion 
processing program of the compressed contents. The content 
data is provided by a storage medium or a communication medium T 
which — is — characterized — by . The method comprising comprises : a 
content — data — analyzing — step — of executing content data analysis 
of the content data including — compressed — contents — and an 
expansion — processing — program — e-f — the — compressed — contentST — and j_ 
executing — e xtraction — extracting processing — e-£ — the compressed 
contents and the expansion processing program from the content 
data; and — an — expansion — processing — step — e-f — executing expansion 
processing of the compressed content — data — included — in — the 

content data using aft the expansion processing program 

included — if* — trhe — content — data — obtained — as — a — result — af — fe-he 
analysis of the content data analyzing section . 

[0208] In addition, in one embodiment of the data 

processing method of the present invention, the data 

processing method is characterized fey further 

comprising includes -; a data storing step e# storing the 

extracted compressed contents that a^e extracted by the 

content — d at a — analyzing — section; and a — program — storing — step — e-f- 
storing the extracted expansion processing program — extracted 
by — the — content — data — analyzing — section , a**d — characterized — in 

that wherein the expansion processing section has a 

configuration — f-e-r — executing — expansion — processing is executed 
with respect to the compressed contents stored — in — fehe — data 
storing — step — by applying the expansion processing program 
stored in the program storing step to the compressed contents. 
[0209] In addition, in one embodiment of the data 

processing method of the present invention, the data 
processing method i-s — characterized — in — that — feh-e — contents — data 

analyzing step f urther includes obtains obtaining a 

configuration information of the content data based on header 
information included in the content data and performs — analysis 

e£ t&e content date prior to executing the content data 

analysis . 

[0210] In addition, in one embodiment of the data 

processing method of the present invention, the data 

processing method is characterized in that reproduction 


- 65 - 


priority — information — — the compressed contents 4rs — includes 
reproduction priority information included in the header 
information — and, _4r£ — If there are a plurality of compressed 

contents — that ±-s objects e-£ expansion processing i-n the 

expansion — processing — section , the expansion processing step 
sequentially executes content expansion processing in 

accordance with the priority based &h the reproduction 

priority information in — t-he — header — information — obtained — in — the 
content data analyzing step . 

[0211] In addition, in one embodiment of the data 

processing method of the present invention, the data 

processing method i-s characterized by further 

comprising : includes displaying — step — e£ — displaying information 

of the compressed contents — that — a^?e ob j ccts — &£ — expansion 

processing en displaying means ; j _ and inputting step oS 

inputting reproduction contents identification data selected 
from the content — display and information — displayed — eft — the 

displaying means , and characterized in that wherein the 

expansion processing step executes — expansion processing — of th e 

compress e d contents is performed corresponding to the 

identification data bas e d en the reproduction contents 

identification data inputted from the inputting stop . 

[0212] In addition, a thirty eighth aspect of the present 

invention is a data processing method for performing 

r e production — processing — e£ — reproducing content data_. The 

content data includes one of compressed contents and an 
expansion processing program. The content data is provided by 

a storage medium or a communication medium 7 which is- 

characterized — by — comprising : ^ The method includes a — content 
data analyzing step — of receiving content data including cither 

compressed contents er expansion processing program, 

distinguishing whether the content data he-s includes the 

compressed contents or the expansion processing program from 
header information included in the received content data — and, 
eefe — the — same — timc,^ _±-f — If the content data &as — includes the 
compressed contents, the method includes obtaining analyzing a 
type of a — compressing processing program applied to the 
compressed contents from the header information of the — content 
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data y — and ^ _if — If the content data ka-s — includes the expansion 
processing program, the method includes analyzing obtaining a 
type of the — expansion processing program from the header 
information — af — the — content — data; . The method also includes a 
selecting — step of selecting an a specific expansion processing 
program applicable to the type of the — compression processing 
program — ef — the — compressed — contents — analyzed — hi — the — content 

data analyzing step based on the type of tRe — expansion 

processing program — analyzed — in — the — content — data — analyzing 
stop; j _ and e&t — expansion processing — stop — of executing expansion 
processing by — using the specific expansion processing program 
selected in the — selecting step . 

[0213] In addition, in one embodiment of the data 

processing method of the present invention, the data 

processing method i-s characterized by further 

comprising includes- = a data storing step e-f storing the 

compressed contents — that — a*?e — extracted — by — the — content — data 
analyzing — section; and a — program — storing — step — ef — storing the 
specific expansion processing program extracted by the — content 
data — analyzing — section , and — characterized — in — that wherein the 
expansion processing step executes — expansion — processing — with 
respect — te — the — compressed — contents — stored — in — the — data — storing 
st o p is executed by applying the specific expansion processing 
program stored — if* — the — program — storing — step — to the compressed 
contents. 

[0214] In addition, in one embodiment of the data 

processing method of the present invention, the data 

processing method i-s characterized in that reproduction 

priority information e-f — thc is associated with the compressed 
contents . The reproduction priority information is included in 
the header information — and, j_ __if — If there are a plurality of 
compressed contents — that — i-s — objects — e-f — expansion — processing , 
the content — expansion processing step includes sequentially 

executes executing the content expansion processing in 

accordance with the priority based on — the reproduction priority 
information — in — the — header — information — obtained — in — the — content 
data analyzing — step . 
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[0215] In addition, in one embodiment of the data 

processing method of the present invention, the data 

processing method a-s characterized by comprising further 

includes a — retrieving — stop — e€ — retrieving a-n — the specific 
expansion processing program 7 — and — characterized — if* — that — the 

retrieving stop retrieves an expansion processing — program 

applicable — fee — a — type — — fcke — compression — processing program — e# 
fe-ke — compressed contents — analyzed in the — content data — analyzing 
step — with from a program storing means accessible by — the — data 
processing apparatus as an object of retrieval. 

[0216] In addition, in one embodiment of the data 

processing method of the present invention, the data 

processing method 4rS characterized by further 

comprising : includes a displaying step e-f displaying 

information of the compressed contents that — aa?e — objects — e£ 

expansion — processing; and a-R inputting step e£ — inputting 

reproduction contents identification data selected from the 
content — information — displayed information, e n — fefee — displaying 

means , anel characterized ana that wherein the expansion 

processing step — executes — expansion — processing — e-f is performed 
on the compressed contents corresponding to the — identification 
data — based — en — the reproduction contents identification data 
inp u t ted from the inputting moans . 

[0217] In addition, a thirty ninth aspect of the present 

invention is a content data generating method for performing 
g e neration — processing — de generating content data . The content 
data is provided by a storage medium or a communication medium— 
which — is — characterized — b y. The method comprises combining 
compressed contents and an expansion processing program, and 
generating the content data i** — which including the compressed 

contents and en — the expansion processing program — fcke 

compressed contents arc combined . 

[0218] In addition, in one embodiment of the content data 

generating method of the present invention, the content data 
generating method is — characterized — ift — that — a further includes 
adding configuration information — fc-ke — content — data — i-s — added 
as header information of the content data. 
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[0219] In addition, in one embodiment of the content data 

generating method of the present invention, the content — data 
generating method — is — characterized — if* — that — header information 
includes reproduction priority information of contents 
included in the content data — as — header — information — e-f — the 
content data . 

[0220] In addition, a fortieth aspect of the present 

invention is a content data generating method for performing 
generation — processing — e #generating content data . The content 
data is provided by a storage medium or a communication 
me d i um 7 — The method comprises which — is — characterized — in — that 
content — data — is — generated — in which a — type — e-£ — content — data — #e*r 
identifying whether the content data has , as header 
information, compressed contents or an expansion processing 
program — i-s — added — a-s — header — information;^ __if — If the content 
data has the compressed contents, a type of a — compression 
processing program is applied to the compressed contents is- 
added as header informations — and . if If the content data has 
aft — the expansion processing program, a type of an expansion 
processing program is added as header information. 

[0221] In addition, in one embodiment of the content data 

generating method of the present invention, the content data 

generating method i-s characterized — ift — that further includes 

adding reproduction priority information — contents — included 
in — the — cont e nt — data — is — added — as header information of the 
content data. 

[0222] In addition, a forty first aspect of the present 

invention is a program providing re cording medium #€Hr 

providing re corded with a computer program that causes a 

computer system t-e execute reproduction processing a #for 

reproducing content data . The content data includes compressed 
contents and an expansion processing program for the 
compressed contents. The content data is provided by a storage 
medium or a communication mediurriT — which — is — characterized — by 
comprising: . The computer program comprises a — content — data 
analyzing — st e p — — executing content data analysis of the 
content data — including — compressed — contents — and — an — expansion 
processing — program — e-f — the — compressed — contents , and — executing 
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extraction — processing — e-i extracting the compressed contents and 
the expansion processing program from the content data-? — / arnd 
an expansion processing step of executing expansion processing 
of the extracted content data included — ±& — the — content — data 
using etft — the expansion processing program — included — ki — fefee 
content — data — obtained — ets — a — result — — the — analysis — e-f — the 
content data analyzing section . 

[0223] The program providing medium in accordance with the 

present invention is, for example, a medium for providing a 
computer program in a computer readable form to a general 
purpose computer system that can execute various program codes 
A form of the medium is a storage medium such as a CD, an FD 
or an MO, or a transmission medium such as a network, and is 
not specifically limited. 

[0224] Such a program providing medium defines a structural 

or functional cooperative relationship between a computer 
program and a providing medium for realizing a predetermined 
function of the computer program on a computer system. In 
other words, a cooperative operation is shown on the computer 
system by installing the computer program in the computer 
system via the providing medium, and operational effects 
similar to other aspects of the present invention can be 
obtained . 

[0225] Other objects, features, and advantages of the 

present invention will be seen from the detailed explanation 
based on the embodiment and attached drawings of the present 
invention described later. 

[0226] As described above, according to the data processing 
apparatus and method and data-verif ying-value-imparting method 
of the present invention, partial integrity check values 
generated as integrity check values for a partial data set 
containing one or more partial data obtained by dividing 
content data into a plurality of pieces are used for a 
collation process to verify the partial data, and a partial- 
integrity-check-value -verifying integrity check values used 
to verify a partial integrity check value set comprising a 
combination of a plurality of partial integrity check values 
are used for a collation process to verify the entirety of a 
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plurality of partial data sets corresponding to a plurality of 
partial integrity check values constituting a partial 
integrity check value set. Consequently, compared to a 
configuration for imparting a single integrity check value to 
the entire content data, partial verification is achieved and 
the entire verification process is efficient due to the use of 
the partial integrity check values. 

[0227] Further, according to the data processing apparatus 

and method and data-verif ying-value-imparting method of the 
present invention, the verification process can be executed 
depending on how content data are used, for example, whether 
the data are to be downloaded or reproduced; for example, a 
verification process for a data portion that is unlikely to be 
tampered can be omitted. Therefore, efficient verification is 
achieved depending on how data are used. 

[0228] Furthermore, the data processing apparatus and data 

processing method of the present invention are configured in 
such a way that individual keys necessary to execute 
encryption processing such as data encryption, data decryption, 
data verification, authentication processing and signature 
processing are not stored in a storage section, master keys to 
generate these individual keys are stored in the storage 
section instead, the encryption processing section of the data 
processing apparatus extracts the master keys corresponding to 
these individual keys such as encryption keys and 
authentication keys from the storage section as required, 
executes encryption processing applying a DES algorithm, etc. 
based on the extracted master keys and identification data of 
the apparatus or data and generates individual keys such as an 
encryption key and authentication key, and therefore the 
present invention eliminates the possibility of the individual 
keys themselves leaking from the storage section and enhances 
the security of an encryption processing system because 
acquiring the individual keys will require a plurality of 
information pieces such as information of both individual key 
generation algorithm and master keys, identification data of 
the apparatus or data. Moreover, even if an individual key is 
leaked for some reasons, the range of damage is limited to the 
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range of the individual key, which will not lead to collapse 
of the entire system. 

[0229] Furthermore, the data processing apparatus, data 

processing system and data processing method of the present 
invention is configured in such a way that individual keys are 
sequentially generated based on the identification data of the 
apparatus or data, which eliminates the need to maintain the 
list of keys applied to individual apparatuses in a control 
apparatus, facilitating system control as well as enhancing 
the security. 

[0230] Furthermore, according to the data processing 

apparatus, data processing method and contents data generation 
method of the present invention, illegal device identification 
data information is stored in contents data, collation between 
an illegal device list and the recorder/reproducer identifier 
of the recorder/reproducer attempting to use the contents is 
executed prior to the use of the contents by the 
recorder/reproducer, and in the case where the collation 
result shows that some entries of the illegal device list 
match the recorder/reproducer identifier, the subsequent 
processing, for example, contents data decryption, downloading 
or reproduction processing, etc. is stopped, thus making it 
possible to prevent a reproducer, etc. that has illegally 
acquired a key from illegally using contents. 

[0231] Furthermore, the data processing apparatus, data 

processing method and contents data generation method of the 
present invention adopt a configuration allowing the contents 
data to include check values together for the illegal device 
list in the content data, making it possible to prevent 
tampering of the list itself and provide a contents data 
utilization configuration with enhanced security. 
[0232] Furthermore, the data processing apparatus and data 

processing method of the present invention allows a data 
processing apparatus such as a recorder/reproducer and PC to 
store an apparatus-specific key, which is specific to the data 
processing apparatus and a system common key, which is common 
to other data processing apparatuses using contents data, 
making it possible to process contents according to contents 
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utilization restrictions. The data processing apparatus 
selectively uses these two keys according to contents 
utilization restrictions. For example, in the case where the 
contents are only available to the data processing apparatus, 
the key specific to the data processing apparatus is used, 
while in the case where the contents are also available to 
other systems, a check value for the contents data is 
generated and collation processing is performed using the 
system common key. It is possible to decrypt and reproduce the 
encrypted data only when the collation is established, thus 
allowing processing according to contents utilization 
restrictions such as contents only available to the data 
processing apparatus or contents commonly available to the 
system, etc. 

[0233] Furthermore, the data processing apparatus, data 

processing method and contents data verification value 
assignment method of the present invention is configured to 
generate a contents check value in units of contents block 
data, execute collation processing on the contents check value 
generated, generate a contents intermediate value based on the 
contents block data to be verified and generate a contents 
check value through encryption processing applying a contents 
check value generation key, thus allowing efficient 
verification compared to conventional processing on entire 
data . 

[0234] Furthermore, the data processing apparatus, data 

processing method and contents data verification value 
assignment method of the present invention allows verification 
in contents block units and simplified verification processing 
according to download processing and reproduction processing, 
etc. providing efficient verification according to the mode of 
use . 

[0235] Furthermore, since the data processing apparatus, 

the content data generating method, and the data processing 
method of the present invention is made to have the 
configuration that is provided with the plurality of content 
blocks in the content data and enables encryption processing 
for a unit of each content block, and also have the 
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configuration in which the key used for content encryption is 
further encrypted and stored in the header section, even if, 
for example, a plurality of content blocks exist and blocks 
requiring encryption processing and blocks not requiring 
encryption processing are mixed, it becomes possible to have 
an arbitrary data structure that couples each block. 
[0236] In addition, according to the data processing 

apparatus, the data processing system, and the data processing 
method of the present invention, by making the configuration 
of the content block to be a regular configuration, for 
example, a configuration having a uniform data length, or a 
configuration in which the encryption block and the non- 
encryption (plaintext) block are alternately disposed, 
decryption processing and the like of the content block can be 
promptly executed, and encryption content data suitable for 
processing corresponding to contents of the content data, for 
example, reproduction and the like of music data can be 
provided . 

[0237] Furthermore, the data processing apparatus, the data 

processing method and the content data generating method can 
efficiently execute reproduction processing in the case in 
which contents are compressed voice data, image data or the 
like. That is, by making a configuration of content data to be 
one in which compressed data and an expansion processing 
program are combined, expansion processing, to which an 
expansion processing program incidental to compressed content 
data is applied, is made possible in the reproduction 
processing apparatus, and a situation in which the expansion 
processing program does not exist in the reproduction 
processing apparatus and reproduction cannot be performed can 
be avoided. 

[0238] Moreover, according to the data processing apparatus, 
the data processing method and the content data generating 
means, since a configuration of content data has a 
configuration in which the reproduction processing apparatus 
determines the expansion processing program applicable to the 
compressed content data based on the header information, and 
the reproduction processing apparatus further retrieves a 
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program applicable from accessible recording media or the like 
and executes expansion processing by making content data to be 
a combination of compressed data and the header section 
storing the type of the compression processing program, or, if 
the contents has the expansion processing program, a 
combination of the expansion processing program and the header 
storing the type of the program, program retrieving processing 
does not need to be executed by a user, and efficient 
reproduction processing becomes possible. 

BRIEF DESCRIPTION OF THE DRAWINGSB ^jre^ Description — e£ the 

Drawings 

[0239] Fig. 1 is a view showing the configuration of a 

conventional data processing system. 

[0240] Fig. 2 is a view showing the configuration of a data 

processing apparatus to which the present invention is applied. 
[0241] Fig. 3 is a view showing the configuration of a data 

processing apparatus to which the present invention is applied. 
[0242] Fig. 4 is a view showing a data format of content 

data on a medium or a communication path. 

[0243] Fig. 5 is a view showing a usage policy contained in 

a header of content data. 

[0244] Fig. 6 is a view showing block information contained 

in a header of content data. 

[0245] Fig. 7 is a view showing an electronic signature 

generating method using the DES. 

[0246] Fig. 8 is a view showing an electronic signature 

generating method using the Triple DES. 

[0247] Fig. 9 is a view depicting uscf ul — ana — explaining — the 

aspect of the Triple DES. 

[0248] Fig. 10 is a view showing an electronic signature 

generating method partly using the Triple DES. 

[0249] Fig. 11 is a view showing a process flow of 

electronic signature generation. 

[0250] Fig. 12 is a view showing a process flow of 

electronic signature generation. 

[0251] Fig. 13 is a view depicting uscf ul — if* — explaining a 

mutual authentication process sequence using a symmetrical 
cryptography technique . 
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[0252] Fig. 14 is a view depict ing uo of ul — i-ft — explaining a 

public key certificate. 

[0253] Fig. 15 is a view depict ing uocf ul — i« — explaining a 
mutual authentication process sequence using an asymmetrical 
cryptography technique . 

[0254] Fig. 16 is a view showing a process flow of an 

encryption process using elliptic curve cryptography. 

[0255] Fig. 17 is a view showing a process flow of a 

decryption process using elliptic curve cryptography. 

[0256] Fig. 18 is a view showing how data are held on a 

recording and reproducing device. 

[0257] Fig. 19 is a view showing how data are held on a 

recording device. 

[0258] Fig. 20 is a view showing a process flow of mutual 

authentication between the recording and reproducing device 
and the recording device. 

[0259] Fig. 21 is a view showing the relationship between a 

master key of the recording and reproducing device and a 
corresponding master key of the recording device. 
[0260] Fig. 22 is a view showing a process flow of a 

content download process. 

[0261] Fig. 23 is a view depict ing usc f ul — if* — explaining a 

method for generating an integrity check value A: ICVa. 
[0262] Fig. 24 is a view depict ing uocf ul — in — explaining a 

method for generating an integrity check value B: ICVb. 
[0263] Fig. 25 is a view depicting uscf ul — i« — explaining a 

method for generating a total integrity check value and an 
integrity check value unique to the recording and reproducing 
device . 

[0264] Fig. 26 is a view showing a format of content data 

stored in the recording device (localization field = 0) . 

[0265] Fig. 27 is a view showing a format of content data 

stored in the recording device (localization field = 1) . 

[0266] Fig. 28 is a view showing a process flow of a 

content reproduction process. 

[0267] Fig. 29 is a view depi ct ing uocf ul — i« — explaining a 

method by which the recording device executes commands . 
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[0268] Fig- 30 is a view depict ing u so ful — in — explaining a 

method by which the recording device executes commands in a 
content storage process. 

[0269] Fig. 31 is a view depict ing u so ful — ifi — explaining a 

method by which the recording device executes commands in a 
content reproduction process. 

[0270] Fig. 32 is a view depicting usof ul — in — explaining the 

configuration of a content data format type 0. 

[0271] Fig. 33 is a view depicting usof ul — in — explaining the 
configuration of a content data format type 1. 

[0272] Fig. 34 is a view depicting usof ul — in — explaining the 

configuration of a content data format type 2. 

[0273] Fig. 35 is a view depicting usof ul — if* — explaining the 

configuration of a content data format type 3. 

[0274] Fig. 36 is a view depicting usof ul — in — explaining a 

method for generating a content integrity check value IDVi lCVi 
for the format type 0. 

[0275] Fig. 37 is a view depicting usof ul — in — explaining a 

method for generating a content integrity check value IDVi lCVi 
for the format type 1. 

[0276] Fig. 38 is a view depicting usof ul — in — explaining a 
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[0284] Fig. 46 is a view (1) depicting uscf ul — in — explaining 

a method by which a content generator and a content verifier 
generate integrity check values and execute verification using 
them. 

[0285] Fig. 47 is a view (2) depicting uscf ul — in — explaining 

a method by which the content generator and the content 
verifier generate integrity check values and execute 
verification using them. 

[0286] Fig. 48 is a view (3) depicting uoc f ul — ana — explaining 

a method by which the content generator and the content 
verifier generate integrity check values and execute 
verification using them. 

[0287] Fig. 49 is a view depicting uscf ul — — explaining a 

method for individually generating various keys using master 
keys . 

[0288] Fig. 50 is a view (example 1) showing an example of 

a process executed by a content provider and a user in 
conjunction with the method for individually generating 
various keys using master keys. 

[0289] Fig. 51 is a view (example 2) showing an example of 

a process executed by the content provider and the user in 
conjunction with the method for individually generating 
various keys using master keys. 

[0290] Fig. 52 is a view illustrating uscf ul — in explaining a 

configuration for executing localization using different 
master keys. 

[0291] Fig. 53 is a view (example 3) showing an example of 

a process executed by the content provider and the user in 
conjunction with the method for individually generating 
various keys using master keys. 

[0292] Fig. 54 is a view (example 4) showing an example of 
a process executed by the content provider and the user in 
conjunction with the method for individually generating 
various keys using master keys. 

[0293] Fig. 55 is a view (example 5) showing an example of 

a process executed by the content provider and the user in 
conjunction with the method for individually generating 
various keys using master keys. 
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[0294] Fig. 56 is a view showing a flow of a process for 

storing a cryptography key with the Triple DES applied thereto, 
using the Single DES algorithm. 

[0295] Fig. 57 is a view showing a content reproduction 

process flow (example 1) based on priority. 

[0296] Fig. 58 is a view showing a content reproduction 

process flow (example 2) based on priority. 

[0297] Fig. 59 is a view showing a content reproduction 

process flow (example 3) based on priority. 

[0298] Fig. 60 is a view illustrating uscf ul — in explaining a 

configuration for executing a process for decrypting 

(decompressing) compressed data during the content 
reproduction process . 

[0299] Fig. 61 is a view showing an example of the 

configuration of a— content (example 1) . 

[0300] Fig. 62 is a view showing a reproduction process 

flow in the example 1 of the configuration of the content. 
[0301] Fig. 63 is a view showing an example of the 

configuration of a—content (example 2). 

[0302] Fig. 64 is a view showing a reproduction process 

flow in the example 2 of the configuration of the content. 
[0303] Fig. 65 is a view showing an example of the 

configuration of a— content (example 3). 

[0304] Fig. 66 is a view showing a reproduction process 

flow in the example 3 of the configuration of the content. 
[0305] Fig. 67 is a view showing an example of the 

configuration of a—content (example 4). 

[0306] Fig. 68 is a view showing a reproduction process 
flow in the example 4 of the configuration of the content. 
[0307] Fig. 69 is a view illustrating us c f ul — in explaining a 

process for generating and storing save data. 

[0308] Fig. 70 is a view showing a process flow for an 
example (example 1) of the process for storing saved data. 
[0309] Fig. 71 is a view showing the configuration of a 

data managing file (example 1) used during a process for 
storing and reproducing save data. 

[0310] Fig. 72 is a view showing a process flow for an 

example (example 1) of the process for reproducing save data. 
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[0311] Fig. 73 is a view showing a process flow for an 
example (example 2) of the process for storing save data. 
[0312] Fig. 74 is a view showing a process flow for an 

example (example 2) of the process for reproducing save data. 
[0313] Fig. 75 is a view showing a process flow for an 

example (example 3) of the process for storing save data. 
[0314] Fig. 76 is a view showing the configuration of a 
data managing file (example 2) used during the process for 
storing and reproducing save data. 

[0315] Fig. 77 is a view showing a process flow for an 

example (example 3) of the process for reproducing save data. 
[0316] Fig. 78 is a view showing a process flow for an 

example (example 4) of the process for storing save data. 
[0317] Fig. 79 is a view showing a process flow for an 

example (example 4) of the process for reproducing save data. 
[0318] Fig. 80 is a view showing a process flow for an 

example (example 5) of the process for storing save data. 
[0319] Fig. 81 is a view showing the configuration of a 

data managing file (example 3) used during the process for 
storing and reproducing save data. 

[0320] Fig. 82 is a view showing a process flow for an 

example (example 5) of the process for reproducing save data. 
[0321] Fig. 83 is a view showing a ' process flow for an 
example (example 6) of the process for storing save data. 
[0322] Fig. 84 is a view showing the configuration of a 

data managing file (example 4) used during the process for 
storing and reproducing save data. 

[0323] Fig. 85 is a view showing a process flow for an 

example (example 6) of the process for reproducing save data. 
[0324] Fig. 86 is a view illustrating uscf ul — i-R — e xplaining a 

configuration for excluding invalid content users (revocation). 
[0325] Fig. 87 is a view showing a flow of a process 

(example 1) for excluding invalid content users (revocation). 
[0326] Fig. 88 is a view showing a flow of a process 

(example 2) for excluding invalid content users (revocation). 
[0327] Fig. 89 is a view illustrating uscf ul — i-ft — explaining 

ttea configuration of the security chip (example 1) . 
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[0328] Fig. 90 is a view showing a process flow for a 

method for manufacturing a security chip. 

[0329] Fig. 91 is a view illustrating uocf ul — i-n — explaining 

the configuration of the security chip (example 2). 
[0330] Fig. 92 is a view showing a flow of a process for 

writing data-in the security chip (example 2). 

[0331] Fig. 93 is a view showing a flow of a process for 

checking written data in the security chip (example 2) . 

Best Mode for Carrying out the Invent ion DETAILED DESCRIPTION 
[0332] The embodiments of the present invention will be 
described below. The description will proceed in the order of 
the following items: 

(1) Configuration of Data Processing apparatus 

(2) Content Data Format 

(3) Outline of Cryptography Processes Applicable to Present 
Data Processing Apparatus 

(4) Configuration of Data Stored in Recording and Reproducing 
Apparatus 

(5) Configuration of Data Stored in Recording Device 

(6) Mutual Authentication Process between Recording and 
Reproducing Device and Recording Device 

(6-1) Outline of Mutual Authentication Process 

(6-2) Switching to Key Block during Mutual Authentication 

(7) Process for Downloading from Recording and Reproducing 
Device to Recording Device 

(8) Process Executed by Recording and Reproducing Device to 
Reproduce Information from Recording Device 

(9) Key Exchanging Process after Mutual Authentication 

(10) Plural Content Data Formats and Download and Reproduction 
Processes Corresponding to Each Format 

(11) Aspect of Process Executed by Content Provider to Generate 
Check Values (ICV) 

(12) Cryptography Process Key Generating Configuration Based on 
Master Key 

(13) Controlling Cryptography Intensity in Cryptography Process 

(14) Program Activating Process Based on Activation Priority in 
Handling Policy in Content Data 
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(15) Content Configuration and Reproduction (Decompression) 
Process 

(16) Process for Generating and storing Saved Data in Recording 
Device and Reproducing the Same therefrom 

(17) Configuration for Excluding (Revoking) Illegal Apparatuses 

(18) Secure Chip Configuration and Manufacturing Method 
therefor 

(1) Configuration of Data Processing Apparatus 

[0333] Fig. 2 illustrates shows a block diagram showing the 

general configuration of one embodiment of a data processing 
apparatus according to the present invention. Main components 
of the data processing apparatus are a recording and 
reproducing device 300 and a recording device 400. 
[0334] The recording and reproducing device 300 comprises, 
for example, a personal computer (PC), a game apparatus— or 
the like. The recording and reproducing device 300 has a 
control section' 301 for carrying out unifying control 
including the control of communication between the recording 
and reproducing device 300 and the recording device 400 during 
a cryptography process in the recording and reproducing device 
30 0^— The recording and reproducing device 300 also includes a 
recording — a-n-d — reproducing — device cryptography process section 
302_^_ which is responsible for the whole cryptography process—^ 
It also includes a recording device controller 303 for 
executing an authentication process with the recording device 
400 connected to the recording and reproducing device 300 to 
read and write data^— Recording and reproducing device 300 
further includes a read section 304 for at least reading data 
from a medium 500_^ such as a DVD, CD, floppy disk (FD) or hard 
disk (HDD) , and a communication section 305 for transmitting 
and receiving data to and from the exterior network — via 
communication means 600e s — shown in Fig. — 2-. 

[0335] The recording and reproducing device 300 downloads 
and reproduces content data to and from the recording device 
400 controlled by the control section 301. The recording 
device 400 is a storage medium that can preferably be 
installed in and removed from the recording and reproducing 
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device 30 0, for example, as a memory card^- The recording 
device 400 eftd has an external memory 4 02 comprising a non- 
volatile memory such as an EEPROM^ or a flash memory, a hard 
disk, or a RAM with batteries. 

[0336] The recording and reproducing device 300 has e the 

read section 304 as an interface to which content data stored 
in the storage medium 500 ohown at the — left — end of — Fig . — 2-7 — that 
i-s-7 — a — DVD, — a — G-D7 — an — F-D7 — — aft — H-&B — ea-n — fee — input, . eftd — a — The 
communication section 305 acts as an interface to which 
content data distributed from a n exterior network such as the 

Internet can be input 7 in — order — fee — rccoivo — an — input — e£ — a 

content — from the exterior . 

[0337] The recording and reproducing device 300 has ar the 

cryptography process section 302 to execute an authentication 
process, an encryption and a decryption processes, a data 
verification process, af^or other processes . The cryptography 
process section 302 operates in downloading content data 
externally input via the read section 304 or the communication 
section 305— to the recording device 400 or reproducing and 
executing content data from the recording device 400. The 
cryptography process section 302 comprises a control section 
306 , an internal memory 307 and an encryption/decryption 
section 308. Control Section 306 for controlling controls t h e 

entire cryptography process section 302 . a- nThe internal 

memory 3 07— holds information such as keys for the cryptography 
process and which has been processed so as to prevent data 

from being externally read out therefrom easily^ — an 

encryption/decryption section Encryption /decryption 

section 308 is used for executing the encryption and 
decryption processes, generating and verifying authentication 
data, generating random numbers, etc. 

[0338] The control section 301 transmits an initialization 
command to the recording device 400 via the recording device 
controller 303 when, for example, the recording device 400 is 
installed in the recording and reproducing device 300^7 — ©3? 
Control section 301 can also execute a mediation process for 
various processes such as a mutual authentication between the 
encryption/decryption section 308 fehe recording and 
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reproducing — device — cryptography — process — section — — and the 

encryption/decryption section 406 fehe recording device 

cryptography — process — section — 401, . Control section 301 can 
also perform an integrity check value collating process— and 
encryption and decryption processes. Each of these processes 
will be described in detail later in the latter part . 
[0339] The cryptography process section 302 can executes 
the authentication process, the encryption and decryption 
processes, the data verifying process, and other processes, as 
previously describedT — and has — the — cryptography process — control 

section 306, feh-e internal memory 307 , a**d the 

encrypt ion /decrypt ion — section 308 . 

[0340] The cryptography process control section 306 

executes control of the whole cryptography process^ — such — as- 
This includes the authentication process and the 
encryption/decryption processes executed by the recording and 
reproducing device 300^— These are, for example, processes of 
setting an authentication completion flag when the 
authentication process executed between the recording and 
reproducing device 300 and the recording device 400 has 
completed— and commanding the execution of various processes 

executed in the encryption/decryption section 308 — e-f feke 

recording — a-nd — reproducing — section cryptography process — section 
302, . Some of the various processes are, for example , a 
download process^ and a process for generating integrity check 
values for reproduced content data, and commanding the 
execution of a process for generating various key data. 
[0341] The internal memory 307 stores key data, 

identification data, and other data required for various 
processes^ — s uch — as- Some of the various processes include the 
mutual authentication process, the integrity check value 
collating process, and the encryption and decryption processes 
which are executed in the recording and reproducing device 
300^7 — as- These processes will be described later in detail. 
[0342] The encryption/decryption section 308 uses key data 
and t4*e — likc similar information stored in the internal memory 
307 to execute the authentication process, the encryption and 
decryption processes, the generation and verification of 
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predetermined integrity check values or electronic signatures, 
the verification of data, the generation of random numbers, 
etc. in downloading externally input content data to the 
recording device 400 or reproducing and executing content data 
stored in the recording device 400. 

[0343] In this case, the internal memory 307 of the 

recording and reproducing device cryptography process section 
302 holds important information such as cryptography keys and 

must thus beis configured so as not to have its data 

externally read out easily. Thus, the cryptography process 
section 306 is configured as a tamper- — resistant memory 
characterized to restrain external invalid reads, in that i I t 
comprises , for example, a semiconductor chip that essentially 
rejects external accesses and has a multilayer structure, an 
internal memory sandwiched between dummy layers of aluminum or 
the like or arranged in the lowest layer, and a narrow range 
of operating voltages and/or frequencies. This configuration 
will be described later in detail. 

[0344] In addition to these cryptography process functions, 

the recording and reproducing device 300 comprises a main 
Central Processing Unit (CPU) 106, a RAM (Random Access 
Memory) 107, a ROM (Read Only Memory) 108, an AV process 
section 109, an input interface (I/F) 110, a PIO (Parallel 
I/O) interface 111, and a SIO (Serial I/O) interface 112. 

[0345] The main Central Processing Unit — (-CPU-)- 106, the RAM 

(Random Access Memory) — 107, and the ROM (Read Only Memory) — 108 
are a — components functioning as a control system for the main 
body of the recording and reproducing device 300^— CPU 10 6, 

RAM 107 and ROM 103 € H=*d principally functions as a 

reproduction process section for reproducing data decrypted by 

the recording aftd reproducing — device cryptography process 

section 302. For example, the main Central — Processing — Unit 
-fCPU-)- 106 executes control for the reproduction and execution 
of contents, such as output of content data read out from the 
recording device and then decrypted, to the AV process section 
109 under the control of the control section 301. 

[0346] The RAM 107 is used as a main storage memory for 

various processes executed by the CPU 106 and as a working 
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area for these processes. The ROM 108 stores a basic program 
for starting up an Operating System ( OS) or the like activated 
by the CPU 106, and as well as other data. 

[0347] The AV process section 109 has a data compression 

and decompression process mechanism^- _-s-Specif ically , the AV 
process section 109 includes an MPEG2 decoder, an ATRAC 
decoder, an MP3 decoder— etc. .. or the — like, to execute processes 
for data outputs to a data output apparatus such as a display 
or speakers (not shown) attached or connected to the recording 
and reproducing device 300 m ain body. 

[0348] The input I/F intcrf acc 110 outputs input data input 

from various connected input means such as a controller, a 
keyboard, and a mouse, to the main CPU 106. The main CPU 106 
executes a process in accordance with a command issued by a 
user via the controller, based on , for example, a game program 
being executed or the — like . 

[0349] The PIO — (Parallel — I/O) interface 111 and the SIO 
(Serial — I/O) — interface 112 are used as storage devices for a 

memory card or a game cartridge and as a connection interface 

to a portable electronic device or the like. 

[0350] The main CPU 106 also executes control in storing £ts 

saved data, setting data or the like for , as an example, a 
game being executed or — fehe — like . During this process, stored 
data a^eis transferred to the control section 301^7 — which _ This 
causes the cryptography process section 302 to execute a 
cryptography process for the saved data as required and then 
stores the encrypted data in the recording device 400. These 
cryptography processes will be described later in detail . 
[0351] The recording device 400 is a storage medium that 

can preferably be installed in and removed from the recording 
and reproducing device 300, and comprises, for example, a 
memory card. The recording device 400 has the cryptography 
process section 401 and the external memory 402. 

[0352] The recording device cryptography process section 

401 executes the mutual authentication process, encryption and 
decryption processes, data verification process, and other 
processes . These processes occur between the recording and 
reproducing device 300 and the recording device 400 in 


- 86 - 


downloading content data from the recording and reproducing 
device 300 or reproducing content data from the recording 
device 400 to the recording and reproducing device 300^7 — and 
The cryptography process section 401 has a control section, an 
internal memory, an encryption/decryption section, and others 
components similarly to the cryptography process section of 
the recording and reproducing device 300. The details will be 
shown — jr ftdescribed in relation to Fig. 3. The external memory 
402 stores encrypted content data or the like. It comprises a 
non-volatile memory comprising a flash memory such as an 
EE PROM, a hard disk, or a RAM with batteries— or the like 7 — fee 
store — encrypted content data or the — 1 ike . 

[0353] Fig. 3 is a view schematically showing the 

configuration of data input from a rthe medium 50 0 and a-the 
communication means 600 that are data content providing means 
from which the data processing apparatus according to the 

present invention receives data^ and focusing en the- 

configurations — e#_ tThe recording and reproducing device 300 
receivesiftf an input of a — content from the content providing 
means 500 or 600^ and — Recording and reproducing device 300 
operates on arrangements for the cryptography process in the 
recording device 400. 

[0354] The medium 500 is, for example, an optical disk 
medium, a magnetic disk medium, a magnetic tape medium, a 
semiconductor medium, or the like. The communication means 600 
is capable of data communication such — ae -via the Internet, 
cable, or satellite communication. 

[0355] In Fig. 3, the recording and reproducing device 300 

verifies data input by the medium 500 or the communication 
means 600 . T 7 — that is, a recording and reproducing device 300 
verifies content meeting a predetermined format^ — &s — shown — if* 

Fig . 3-r and storesd the verified content in the recording 

device 400. 

[0356] As shown in the sections of the medium 500 and 
communication means 600 — ±n — Fig . — 3-r the content data has the 
following components : 

Content ID: content ID as an identifier for content data. 
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[0357] Usage policy: a usage policy containing constituent 

information of content data^ £For example, the usage policy 
contains the sizes of a header section and a content section 
constituting the content data, a format version, a content 
type indicating whether the content is a program or data, and 
a localization field indicating whether the content can be 
used only in an apparatus that has downloaded the content or 
also in other apparatuses. 

[0358] Block information table: the block information table 

comprises ing the number of content blocks, a block size, an 
encryption flag indicating the presence of encryption, and 
others information . 

[0359] Key data: key data comprisesiftf an encryption key 

for encrypting the above described block information table, a 
content key for encrypting a content block, or the like. 
[0360] Content block: the content block comprises^ 

program data, music or image data, or other data to be 
actually reproduced . 

[0361] The content data will be explained later in further 

detail with reference to Fig. 4 and subsequent figures. 
[0362] The content data are encrypted by the content key 

(hereafter referred to as the "Knon") and then provided to the 
recording and reproducing device 300 from the medium 500 or 
the communication means 600. The content can be stored in the 
external memory of the recording device 400 via the recording 
and reproducing device 300. 

[0363] For example, the recording device 400 uses a key 

(hereafter referred to as a "storage key" , or 4Kstr-B- unique 
thereto . The storage key is stored in the internal memory 405 
thereof to encrypt the content contained in the content data, 
the block information table contained in the content data as 
header information, and information on various keys^_ such as 
the content key Kcon . This is done before storing these data 
in the external memory 4 02. To download the' content data from 
the recording and reproducing device 300 to the recording 
device 400 or allow the recording and reproducing device 300 
to reproduce the content data stored in the recording device 
400, predetermined procedures such as a mutual authentication 
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process between the apparatuses and content data encrypting 
and decrypting processes are required. These processes will be 
explained later in detail. 

[0364] The recording device 400 has the cryptography 

process section 401 and the external memory 402^7 — a-r^d — -tThe 
cryptography process section 401 has a control section 403, a 
communication section 404, the internal memory 405, an 
encryption/decryption section 406, and an external memory 
control section 407. 

[0365] The recording device 400 is responsible for the 

whole cryptography process, controls the external memory 402, 
and comprises the recording device cryptography process 
section 401 cryptography process section 401 is for 
interpreting a command from the recording and reproducing 
device 300 and executing a process^ — a** d The recording device 

400 also includes the external memory 402 , which holdsin=*g 
contents or the like. 

[0366] The recording device cryptography process section 

401 has the control section 403 for controlling the entire 
recording device cryptography process section 401, the 
communication section 404 for transmitting and receiving data 
to and from the recording and reproducing device 300 — and the 
internal memory 405 . Internal memory 405 hold_s ing information 
such as keys for the cryptography process^ — a^d — which The 
information has been processed so as to prevent data from 

being easily externally read out therefrom — easily ^ ^ T he 

encryption/decryption section 406 is used for executing the 
encryption and decryption processes, generating and verifying 
authentication data, generating random numbers, etc^ — a**d — 
The external memory control section 407 is used for reading 
and writing data from and to the external memory 4 02. 

[0367] The control section 403 executes control of the 

whole cryptography process^ such a-s- This includes the 

authentication process and the encryption/decryption processes 

executed by the recording device 400^— The 

encrypt ion /decrypt ion processes include, for example, 
processes of setting an authentication completion flag when 
the authentication process executed between the recording and 
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reproducing device 300 and the recording device 400 has 
completed.— The control section 403 also commands ing the 
execution of various processes executed in the 
encryption/decryption section 406 of the cryptography process 
section 4 01.— F4 or example, the various processes can include 
a download process and a process for generating integrity 
check values for reproduced content data^ — af* d The control 
section 403 also commandsifvg- the execution of a process for 
generating various key data. 

[0368] The internal memory 405 comprises a memory having a 

plurality of blocks to store a plurality of sets of key data, 
identification data, or other data which are required for 

various processes_. eSuch various processes include a-s — the 

mutual authentication process, integrity check value collating 
process, and an encryption and decryption process^ which are 
executed by the recording device 400, as described later in 
detail . 

[0369] The internal memory 405 of the recording device 

cryptography process section 401, like the internal memory 307 
of the recording — a^d — reproducing — device — cryptography process 
section 302 previously described, holds important information 
such as cryptography keys . Internal memory 307 and — must thus 
be configured so as not to have its data externally read out 
easily. Thus, the cryptography process section 401 of the 

recording — a**d reproducing device 400 is characterized to 

restrain external invalid reads^ — in — that — i I t comprises a 
semiconductor chip that essentially rejects external accesses 
and has a multilayer structure, an internal memory sandwiched 
between dummy layers of aluminum or the like or arranged in 
the lowest layer, and a narrow range of operating voltages 

and/or frequencies. In this regard, the recording and 

reproducing — device — cryptography process section 302 may be 
software configured so as to prevent secret information for 
keys from leaking easily to the exterior network or the like . 
[0370] The encryption/decryption section 406 uses key data 

or the like stored in the internal memory 405 to execute the 
data verifying process, the encryption and decryption 
processes, the generation and verification of predetermined 
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integrity check values or electronic signatures, the 
generation of random numbers, etc. It does this in downloading 
content data from the recording and reproducing device 300, 
reproducing content data stored in the external memory 402 of 
the recording device 400, or executing mutual authentication 
between the recording and reproducing device 300 and the 
recording device 400. 

[0371] The communication section 404 is connected to the 

recording device controller^ 303 of the recording and 
reproducing device 300^ — fee The communication section 404 
downloads or reproduces content data or communicates transfer 
data between the recording and reproducing device 300 and the 
recording device 400 during the mutual authentication process^ 
This is done according to the control of the control section 
301 of the recording and reproducing device 300, or the 
control of the control section 403 of the recording device 400 

(2) Content Data Format 

[0372] Next, by using Fig. 4 to Fig. 6, the data format of 
data stored in the medium 500 of — fefee — system according — fee — fefee 
present — invention or communicated on the data communication 
means 600 will be explained. 

[0373] The configuration shown in Fig. 4 shows the format 

of the entire content data^ — fe T he configuration shown in Fig. 
5 shows details of the "usage policy" that partly 
constitutes^**^ the header section of the content data^ — a-ftd — fe 
The configuration shown in Fig. 6 shows details of the "block 
information table" that partly constitutes:^**^ the header 
section of the content. 

[0374] A representative example of the data format applied 
to the system according to the' present invention will be 
explained^ — bufe — However, different types of data formats^ 
such as formats corresponding to game programs and formats 
suitable for real-time processing of music data or the like^_ 
can be used for the present system. The aspects of these 
formats will be described later in further detail— in "(10) 
Plural Content Data Formats and Download and Reproduction 
Processes Corresponding to Each Format^"— 


- 91 - 


[0375] In the data format shown in Fig. 4, items shown in 

gray indicate encrypted data^ i I tems enclosed by double 

frames indicate tamper check data^ — a**d — T he other items 
shown in white indicate plain text data that are not encrypted 
Encryption keys of the encryption section are shown on the 
left of the frames. In the example shown in Fig. 4, some of 
the blocks (content block data) of the content section contain 
encrypted data, while the others contain non-encrypted data. 
This form varies depending on the content data^ — and a A ll the 
content block data contained in the data may be encrypted. 
[0376] As shown in Fig. 4, the data format is divided into 
the header section and the content section^ — and t T he header 
section comprises a content ID, a usage policy, an integrity 
check value A (hereafter referred to as "ICVa"), a block 
information table key (hereafter referred to as "Kbit"), a 
content key Kcon, a block information table (hereafter 
referred to as "BIT"), an integrity check value B (_^ICVb^) , 
and a total integrity check value (^ICVt^)^ 7 — and t T he content 
section comprises a plurality of content blocks^ -(-for example, 
encrypted and non-encrypted contents-)-. 

[0377] In this case, the individual information indicates a 
content ID for identifying a specific piece of content. The 
usage policy , as shown in Fig. 5, comprises a header length 
indicating the size of the header section^- a content length 
indicating the size of the content section^- a format version 
indicating version information for the format^- a format type 
indicating the type of the format^ a content type indicating 
the type of the content, that is, whether it is a program or 
data_^_— an operation priority indicating a priority for 
activation if the content type is a program^— a localization 
field indicating whether the content downloaded in accordance 
with this format can be used only in an apparatus that has 
downloaded the content or also in other similar apparatuses^— 
a copy permission indicating whether the content downloaded in 
accordance with this format can be copied from the apparatus 
that has downloaded the content to another similar apparatus^- 
a move permission indicating whether the content downloaded in 
accordance with this format can be moved from the apparatus 


- 92 - 


that has downloaded the content to another similar apparatus^— 
an encryption algorithm indicating an algorithm used to 
encrypt content blocks in the content section^- an encryption 
mode indicating a method for operating the algorithm used to 
encrypt the content in the content section^- and an integrity 
check method indicating a method for generating integrity 
check values, as shown in detail in Fig. 5. 

[0378] The above described data items recorded in the usage 
policy are only exemplary and various usage policy information 
can be recorded depending on the aspect of corresponding 
content data. The identifier e-s-is described later in detail in, 
for example, "(17) Configuration for Excluding (Revoking) 
Illegal Apparatuses/'™ It is also possible to make a 
configuration so as to exclude the use of content caused by 
the illegal apparatus by recording the content of an illegal 
recording and reproducing apparatus as data and by checking 
the start time of starting the use. 

[0379] The integrity check value A ICVa is used to verify 
that the content ID or the usage policy has not been tampered 
with . It functions as a check value for partial data instead 
of the entire content data . -, — tThat is, it functions as a 
partial integrity check value. The data block information 
table key Kbit is used to encrypt a block information table^— 
and t T he content key Kcon is used to encrypt content blocks. 
The block information table key Kbit and the content key Kcon 
are encrypted with a distribution key (hereafter referred to 
as "Kdis") on the medium 500 and the communication means 600. 
[0380] Fig. 6 shows the block information table in detail. 

The block information table in Fig. 6 comprises data e±i 
encrypted with the block information table key Kbit as 
sccn illust rated in Fig. 4. The block information table 
comprises a block number^ indicating the number of content 
blocks and information on N content blocks 7 — a-s — shown in Fig. — 
The content block information table comprises a block lengthy— 
an encryption flag indicating whether or not the block ash 
been encrypted^- an ICV flag indicating whether or not 
integrity check values must be calculated, and a content 
integrity check value (ICVi) . 


- 93 - 


[0381] The content integrity check value is used to verify 

that each content block has not been tampered with . A specific 
example of a method for generating a content integrity check 
value will be explained later in "(10) Plural Content Data 
Formats and Download and Reproduction Processes Corresponding 
to Each Format^"— The block information table key Kbit_^ used 
to encrypt the block information table^_ is further encrypted 
with the distribution key Kdis. 

[0382] The data format in Fig. 4 will be continuously 

described further . The integrity check value ICVb^ is used 

to verify that the block information table key Kbit, the 
content key Kcon, and the block information table have not 
been tampered with . It functions as a check value for partial 

data instead of the entire content data^ T hat is, it 

functions as a partial integrity check value. The total 
integrity check value ICVt is used to verify the integrity 
check values ICVa and ICVb, integrity check values ICVi for 
each content block (if this has been set) , partial integrity 
check values thereof, or all the data to be checked have not 
been tampered with . 

[0383] In Fig. 6, the block length, the encryption flag, 

and the ICV flag can be arbitrarily set^ — However, certain 
rules may be established. For example, encrypted— and plain- 
text areas may be repeated over a fixed length, all the 
content data may be encrypted, or the block information table 
BIT may be compressed. Additionally, the content key Kcon may 
be contained in the content block instead of the header 
section to allow different content keys Kcon to be used for 

different content blocksT fc&e content key Kcon mety be 

contained — i-n — the — content — block — instead — — fe-he — header — section . 
Examples of the content data format will be described in 
further detail in —(10) Plural Content Data Formats and 
Download and Reproduction Processes Corresponding to Each 
Format/V 

(3) Outline of Cryptography Processes Applicable to Present 
Data Processing Apparatus 
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[0384] Next, the aspects of various cryptography processes 
applicable to the data processing apparatus according to the 
present invention will be explained. The description of the 
cryptography processes shown in "(3) Outline of Cryptography 
Processes Applicable to Present Data Processing Apparatus" 
correspond to an outline of the aspect of a cryptography 
process on which are based various processes executed by the 
present data processing apparatus^ which will be specifically 
described later . 7 — £For example, M a. authentication process 
between recording and reproducing device and recording device' 7 , 
"b. download process for device for loading contents", and Re- 
process for reproducing content stored in recording device" 
will be explained herein . Specific processes executed by the 
recording and reproducing device 300 and the recording device 
400 will .be each described in detail in tnhe — item (4) and 
subsequent items. 

[0385] An outline of the cryptography process applicable to 
the data processing apparatus will be described in the 
following order: 

(3-1) Message Authentication Based on Common Key Cryptosystem 
(3-2) Electronic Signature Based on Public Key Cryptosystem 
(3-3) Verification of Electronic Signature Based on Public Key 
Cryptosystem 

(3-4) Mutual Authentication Based on Common Key Cryptosystem. 
(3-5) Public Key Certificate 

(3-6) Mutual Authentication Based on Public Key Cryptosystem 
(3-7) Encryption Process Using Eelliptic Curve Cryptography 
(3-8) Decryption Process Using Eelliptic Curve Cryptography 
(3-9) Random Number Generating Process 

(3-1) Message Authentication Based on Common Key Cryptosystem 
[0386] First, a process for generating tamper detecting 

data using a common key cryptography method will be explained. 
The tamper detecting data are added to the data to be detected 
for — tamper in order to check for tamper ing and to authenticate 
a creator. 

[0387] For example, the tamper detecting data may be the 
ICVa, integrity — check — values — A thee -ftd B ICVb, and the total 


- 95 - 


integrity check value in the data structure described in Fig. 
4 — which — a^ee — enclosed — fey- — double — frames , and the content check 
value stored in each block in the block information table 
shown in Fig. 6 7 — a**d — fefee — like — a^ee — generated — as — the — tamper 
detecting data . 

[0388] Here, the use of the DES, which is a common key 

cryptosystem, will be explained as an example of a method for 
generating and processing electronic signature data. In 
addition to the DES, the present invention may use, for 
example, the FEAL (Fast Encipherment Algorithm or the AES 
(Advance Encryption Standard) (U.S. next-term standard 
cryptography) as a similar process based on a common key 
cryptosystem . 

[0389] A method for generating an electronic signature 
using a general DES will be explained with reference to Fig. 7. 
First, before generating an electronic signature, a message to 
which the electronic signature is to be added is divided into 
sets of 8 bytes (the pieces of the divided message are 
hereafter referred to as "Ml, M2, ... , MN") . An initial value 
(hereafter referred to as "IV") and the Ml are exclusive- 
Orod ORed. -ffeThe result is referred to as "II"-)-. Next, the II 
is input to a DES encrypting section, which encrypts it using 
a key (hereafter referred to as "Kl") _-ftrThe output is referred 
to as "El"-)-. Subsequently, the El and the M2 are exclusive- 
ORed, and the output 12 is input to the DES encrypting section, 
which encrypts it using the key Kl -(-the output is referred to 
as "E2"-K This process is repeated to encrypt all the messages 
(Ml, M2,...MN) obtained by means of the division. The final 
output — EN is an electronic signature ("EN") . This value is 
generally called a "MAC (Message Authentication Code)" used to 
check a message for tamper ing . In addition, such a system for 
chaining encrypted texts is called a "CBC (Cipher Block 
Chaining ) mode^"- 

[0390] The MAC value output in the example of generation 
shown in Fig. 7 can be used as the integrity check value A or 
B or total integrity check value in the data structure shown 
in Fig. 4 which is enclosed by double frames and the content 
check value ICV1 to ICVN stored in each block in the block 
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information table shown in Fig. 6. In verifying the MAC value, 
a verifier generates it using a method similar to that used to 
originally generate it^ — aftd — t T he verification is determined 
to be successful if the same value is obtained. 

[0391] Moreover, in the example shown in Fig. 7, the 
initial value IV is exclusive-ORed with the first 8-byte 
message Ml, but the initial value IV may be zero and not 
exclusive-ORed . 

[0392] Fig. 8 shows the configuration of a method for 

generating the MAC value which has improved security compared 
to the MAC value generating method shown in Fig. 7. Fig. 8 
shows an example where instead of the Single DES in Fig. 7, 
the Triple DES is used to generate the MAC value. 
[0393] Figs. 9A and 9B show an example of a detailed 

configuration of each of the Triple DES components shown in 
Fig. 8. There are two different aspects of the configuration 
of the Triple DES as shown in Fig. 9. Fig. 9(a) shows an 

example using two cryptography keys^ — where — p Processing is 

carried out in the order of an encryption process with a key 1 
(Kl ) , a decryption process with a key 2 (K2 ) , and an 
encryption process with the key 1. The two types of keys are 
used in the order of Kl, K2 , and Kl . Fig. 9(b) shows an 

example using three cryptography keys_;_ where — p Processing is 

carried out in the order of an encryption process with the key 
1, an encryption process with the key 2, and an encryption 
process with a key 3 (K3) . The three types of keys are used in 
the order of Kl, K2 , and K3 . The plurality of processes are 
thus continuously executed to improve security intensity 
compared to the Single DES. The Tripled DES configuration, 
however, has the disadvantage of requiring an amount of 
processing time three times as large as that for the Single 
DES . 

[0394] Fig. 10 shows an example of a MAC value generating 

configuration obtained by improving the Triple DES 
configuration described in Figs. 8 and 9. In Fig. 10, the 
encryption process for each of the messages (Ml, M2,...,MN) from 
beginning to end of a message string to which a signature is 
to be added is based on the Single DES^t — while — e O nly the 
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encryption process for the last message is based on the Triple 
DES configuration shown in Fig. 9(a). 

[0395] The configuration shown in Fig. 10 reduces the time 
required to generate the MAC value for the message down to a 
value almost equal to the time required for the MAC value 
generating process based on the Single DES^-7 — This is done 
with improved security — improved compared to the MAC value 
based on the Single DES. Moreover, the Triple DES 

configuration for the last message may be as shown in Fig. 
9(b) . 

( 3-2 ) Electronic Signature Based on Public Key Cryptosystem 

[0396] The method for generating electronic signature data 
J^if the common key encryption system_)_ is used as the 

encryption system has been described^ — fetnt — a__ A method for 

generating electronic signature data i-f a common key 

cryptosystem is used a-s fe-h-e encryption system will be 

described with reference to Fig. 11 for a common key 
cryptosystem being used as the encryption system . The process 
shown in Fig. 11 corresponds to a process flow e-f — generation 
of electronic signature data using the Elliptic Curve Digital 
Signature Algorithm (EC-DSA) , as per IEEE P1363/D3. An example 
using -the — Elliptic Curve Cryptography (hereafter referred as 
"ECC") as public key cryptography will be explained. In 

addition to tfee elliptic curve cryptography ECC, the data 

processing apparatus according to the present invention may 
use, for example, tfee — RSA (Rivest, Shamir, Adleman; ANSI 
X9.31) cryptography, which is a similar public cryptosystem. 

[0397] Each step in Fig. 11 will be described- At step SI, 

the following definitions are set-?- reference symbol p denotes 

a characteristic^r Reference symbols a and b denote 

coefficients of an elliptic curve (elliptic curve: y 2 = x 3 + ax 
+ b ) . — M denotes a message. G denotes a base point on the 
elliptic curve^ Symbol r denotes the digit of the G^ 7 — af*et _Ks 
denotes a secret key (0 < Ks < r) . At step S2, a hash value 
for the message M is calculated to obtain f = Hash(M) . 

[0398] Then, a method for determining a hash value using a 

hash function will be explained. The hash function receives a 
message as an input, compresses it into data of a 
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predetermined bit length, and outputs the compressed data as a 
hash value. The hash value is characterized in that it is 
difficult to predict an input from a hash value (output) _^ — ±** 
that For instance, when one bit of data input to the hash 
function changes, many bits of the hash value change^ — aftd — if* 
that Thus, it is difficult to find different input data with 
the same hash value. The hash function employed m ay be , for 
example, MD4, MD5, ene — SHA-1, or DES-CBC similar to that 
described in Fig. 7 or other figures. In this case, the MAC 
(corresponding to the integrity check value ICV) , which is the 
final output value, is the hash value. 

[0399] Subsequently, at step S3, a random number u (0 < u < 

r) is generated^ — a**d — a A t step S4— the base point G is 

multiplied by u to obtain coordinates V (Xv, Yv) . An addition 
and a multiplication by two on the elliptic curve are defined 
as follows : 

If P=(Xa, Ya),Q=(Xb, Yb),R=(Xc, YC)=P+Q. 

When P^Q (addition) , 

Xc=X 2 -Xa-Xb 

Yc=A,x (Xa-Xc) -Ya 

X= (Yb-Ya) / (Xb-Xa) 

When P=Q (multiplication by two) , 

Xc=^ 2 -2Xa 

Yc=A,x (Xa-Xc) -Ya 

X=(3 (Xa) 2 +a) / (2Ya) (1) 

[0400] These are used to multiply the point G by u^ — fa 

Although the calculation speed is low, the most easy-to- 
understand calculation method is shown below. G, 2xG, 4xG, ... 
is calculated, the u is binary-expanded, and corresponding 2 1 x 
G (value obtained by multiplying G by 2 i times) is added to 
bits of 1 (i denotes a bit position as counted from an LSB) . 
[0401] At step S5, c=Xvmod r is calculated, and at step S6, 

is determined whether the result is zero. If the result is not 
zero, then at step SI, d= [ ( f + cKs ) /u] mod r is calculated^ — and 

a- At step S8, it is determined whether d is zero. If the d is 

not zero, then at step S9, : tke — c and d are output as 
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electronic signature data. When r is assumed to denote tho a 
length of 160 bits, the electronic signature data have a 
length of 320 bits. 

[0402] If ^tke — c is 0 at step S6, the process returns to 

step S3 to regenerate a new random number. Similarly , if the d 
is 0 at step S8, the process also returns to step S3 to 
regenerate a new random number. 

( 3-3) Verification of Electronic Signature Based on Public Kety 
Key Cryptosystem 

[0403] Next, a method for verifying an electronic signature 

using the public key cryptosystem will be described with 
reference to Fig. 12. At step Sll, the following definitions 

are set^ 3 ? R eference symbol M denotes a message^ ^ 

Reference symbol p denotes a characteristic^ r- R eference 

symbols a and b denote elliptic curve coefficients (elliptic 
curve: y 2 = x 3 + ax + b)^ — R eference symbol G denotes a base 
point on the elliptic curve^ — & R eference symbol r denotes the 

digit of Gj_-y — and — r- Reference symbols G and Ks x G denote 

public keys (0 < Ks <r) . At step S12, it is verified that the 
electronic signature data c and d meet 0 < c < r and 0 < d < r 
If the data meet these conditions, then at step S13, a hash 
value for the message M is calculated to obtain f = Hash (M) . 
Next, at step S14, h = 1/d mod r is calculated, and at step 
S15, hi = fh mod r and h2 = ch mod r are calculated. 
[0404] At step S16, the already calculated values hi and h2 
are used to calculate P = (Xp, Yp) = hi x G + h2 * Ks x G. An 
electronic-signature verifier knows the public keys G and Ks x 
G and can thus calculate a scalar multiplication of a point on 
the elliptic curve similar ly as to step S4 in Fig. 11. Then, 
at step S17, it is determined whether the P is a point at 
infinity^ — aftd — i I f not, the process proceeds to step S18 (the 
determination of whether the P is a point at infinity can 
actually be made at step S16_)_. That is, when P = (X, Y) and Q 
= (X, -Y) are added together, if the X cannot be calculated, 
it indicatesir**g that P + Q is a point at infinity-)-. At step 
S18, Xp mod r is calculated and compared with the electronic 
signature data c. Finally, if these values are equal, the 
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process proceeds to step S19 to determine that the electronic 
signature is correct. 

[0405] If it is determined that the electronic signature is 

correct, the data hasve not been tampered with and that — a 
person holding the secret key corresponding to the public keys 
has generated the electronic signature. 

[0406] If the signature data c or d do not meet 0 < c < r 

or 0 < d < r at step S12, the process proceeds to step S20. 
Additionally, if the P is a point at infinity at step S17, the 
process also proceeds to step S20. Further, if the value of Xp 
mod r does not equal the signature data c at step S18, the 
process proceeds to step S20. 

[0407] If it is determined at step S20 that the signature 

— beis incorrect, this indicates that the received data 
havc has been tampered with or havo has not been generated by 
the person holding the secret key corresponding to the public 
keys . 

(3-4) Mutual Authentication Based on Common Key Cryptosystem 
[0408] Next, a mutual authentication method using a common 
key cryptosystem will be explained with reference to Fig. 13. 
In this figure, the common key cryptosystem is the DES, but 
any common key cryptosystem similar to that previously 
described may be used. In Fig. 13, B first generates a 64-bit 
random number Rb and transmits the Rb and its own ID,_ ID(b)^_ 
to A. On receiving fcfee — data, the A generates a new 64-bit 
random number Ra, encrypts the data in the DES CBC mode in the 
order of the Ra, Rb, and ID(b) using a key Kab, and returns 

them to 4Erhe B. According to the DES CBC mode process 

configuration shown in Fig. 7, the Ra, Rb, and ID(b) 
correspond to Ml, M2 , and M3, and outputs El, E2, and E3 are 
encrypted texts when an initial value: IV = 0. 

[0409] On receiving the data, tke — B decrypts the received 
data with the key Kab. To decrypt the received data, the 
encrypted tcot text El is first decrypted with the key Kab to 
obtain the random number Ra . Then, the encrypted tcst text E2 
is decrypted with the key Kab, and the result and the El are 
exclusive-ORed to obtain the Rb . Finally, the encrypted 
tcst text E3 is decrypted with the key Kab, and the result and 
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the E2 are exclusive-ORed to obtain the ID(b). Of the Ra, Rb, 
and ID(b) thus obtained, the Rb and ID(b) are checked for 

equality to those transmitted by the B. If they are 

successfully verified, the B authenticates the A. 

[0410] Then, the B generates a session key (hereafter 

referred to as "Kses" ) used after the authentication . Kses 
(this — is generated using a random number-)-. The Rb, Ra, and 
Kses are encrypted in the DES CBC mode in this order using the 
key Kab and then returned to the— A. 

[0411] On receiving the data, the — A decrypts the received 
data with the key Kab. The method for decrypting the received 
data is similar to that executed by the — B, so detailed 
description thereof is omitted. Of the Rb, Ra, and Kses thus 
obtained, the Rb and Ra are checked 1 for equality to those 
transmitted by the— A. If they are successfully verified, the— A 
authenticates the— B. After the— A and B have authenticated each 
other, the session key Kses is used as a common key for secret 
communication after the authentication. 

[0412] If illegality or inequality is found during the 

verification of the received data, the mutual authentication 
is considered to have failed and the process is aborted. 
(3-5) Public Key Certificate 

[0413] Next, the public key certificate will be explained 
with reference to Fig. 14. The public key certificate is 
issued , for example, by a Certificate Authority (^CA^) for the 
public key cryptosystem. When a user submits his or her own ID, 
a public key, and others to the cert if icat o author ity CA, itthe 
CA adds information such as its own ID and valid term to the 
data submitted by the user and further adds its signature 
thereto to generate a public key certificate. 

[0414] The public key certificate shown in Fig. 14 contains 

the version number of the certificate, the sequential number 
of the certificate allotted to the certificate user by the 
CA ccrtif icatc — authority , an algorithm and parameters used for 
the electronic signature, the name of the ccrtif icato 
authority CA, the valid term of the certificate, the name (user 
ID) of the certificate user, and the public key and electronic 
signature of the certificate user. 
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[0415] The electronic signature is data generated by 

applying the hash function to the entirety ofj the version 

number of the certificate, the sequential number of the 
certificate allotted to the certificate user by the 
certificate authorityj_— the algorithm and parameter used for 
the electronic signature^ the name of the CA ccrtif icato 
authority ^— the valid term of the certificate^— the name of 
the certificate user^- and the public key of the certificate 

user^T — This generates a hash value^ — and then using t The 

secret key of the CA ccrtif icatc — authority is used for this 
value. For example, the process flow described in Fig. 11 is 
applied to the generation of the electronic signature. 
[0416] The CA ccrtif icato — authority issues the public key 

certificate shown in Fig. 14, updates a public key certificate 
for which the valid term has expired, and creates, manages, 
and distributes an illegal user list to exclude users who has 
committed an injustice (this is called "revocation") . It also 
generates public and secret keys as required. 

[0417] On the other hand, to use this public key 

certificate, the user uses the public key of the CA ccrtif icato 
authority held by itself to verify the electronic signature on 

the public key certificate . -, and — aAfter the electronic 

signature has been successfully verified, ir^ tthe user takes the 
public key out from the public key certificate and uses it. 
Thus, all users who use the public key certificate must hold a 
common public key of the CA ccrtif icato — authority . The method 
for verifying the electronic authority has been described in 
Fig. 12, so detailed description thereof is omitted. 
(3-6) Mutual Authentication Based on Public Key Cryptosystem 
[0418] Next, a method for mutual authentication using a 
160-bit elliptic curve cryptography, which is a public key 
cryptography, will be described with reference to Fig. 15. In 
this figure, the public key cryptosystem is the ECC, but any 
similar public key cryptosystem may be used as previously 
described. In addition, the key size is not limited to 160 
bits. In Fig. 15, the B first generates and transmits the 64- 
bit random number Rb to the — A. On receiving the data, : fcke — A 
generates a new 64-bit random number Ra and a random number Ak 
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smaller than the characteristic p. It then multiplies a base 
point G by Ak to determine a point Av = Ak x G, generates an 
electronic signature A. Sig for the Ra, Rb, and Av (X and Y 
coordinates) , and returns these data to the — B together with 
the A' s public key certificate. In this case, since the Ra and 
Rb each contain 64 bits and the X and Y coordinates of the Av 
each contain 160 bits, the electronic signature is for the 
total of 448 bits. The method for generating the electronic 
signature has been described in Fig. 11, so detailed 
description thereof is omitted. The public key certificate has 
also been explained in Fig. 14, so detailed description 
thereof is omitted. 

[0419] On receiving the A' s public key certificate, Ra, Rb, 

Av, and electronic signature A. Sig, the — B verifies that the 
Rb transmitted by the — A matches that generated by the B. If 
they are determined to match, the — B verifies the electronic 
signature in the — A' s public key certificate using the public 
key of the CA ccrtif icatc — authority , and takes out the — A' s 
public key. The verification of the public key certificate has 
been explained with reference to Fig. 14, so detailed 
description thereof is omitted. The B then uses the— A' s public 
key obtained to verify the electronic signature A. Sig. The 
method for verifying the electronic signature has been 
explained in Fig. 12, so detailed description thereof is 
omitted. Once the electronic signature has been successfully 
verified, the— B authenticates the— A. 

[0420] Next, the— B generates a new random number Bk smaller 

than the characteristic p. It then multiplies the base point G 
by Bk to determine a point Bv = Bk x G, generates an 
electronic signature B. Sig for the Rb, Ra, and Bv (X and Y 
coordinates) , and returns these data to the — A together with 
the B's public key certificate. 

[0421] On receiving the — B's public key certificate, Rb, Ra, 

Av, and electronic signature B. Sig, the — A verifies that the 
Ra transmitted by the — B matches that generated by the — A. If 
they a^e — determined — te — match, the — A verifies the electronic 
signature in the — B's public key certificate using the public 
key of the CA c c rtif icatc — authority , and takes out the — B's 
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public key. — A then uses the — B' s public key obtained to 

verify the electronic signature B. Sig. Once the electronic 
signature has been successfully verified, the — A authenticates 
the B. 

[0422] If both the — A and B have successfully authenticated 
each other, the B calculates Bk x Av (since the Bk is a random 
number but the Av is a point on the elliptic curve, the point 
on the elliptic curve must be subjected to scalar 
multiplication) , and the A calculates Ak x Bv so that lower 64 
bits of each of the X coordinates of these points are used as 
the session key for subsequent communication (if the common 
key cryptography uses a 64-bit key length) . Of course, the 
session key may be generated from the Y coordinates, or the 
lower 64 bits may not be used. In secret communication after 
the mutual authentication, not only transmitted data are 
encrypted with the session key_^_ but an electronic signature 
may be added thereto. 

[0423] If illegality or inequality is found during the 

verification of the electronic signature or received data, the 
mutual authentication is considered to have failed and the 
process is aborted. 

(3-7) Encryption Process Using Elliptic Curve Cryptography 
[0424] Next, encryption using elliptic curve cryptography 

will be explained with reference to Fig. 16. At step S21, the 
following definitions are setj — g R eference symbols Mx and My 

denote messages^ ae Reference symbol p denotes a 

characteristic, reference symbols a and b denote elliptic 

curve coefficients (elliptic curve: y 2 = x 3 + ax + h) 3? 

Reference symbol G denotes a base point on the elliptic curve^- 

*r Reference symbol r denotes the digit of G^ 7 — and r R eference 

symbols G and Ks x G denote public keys ( 0 < Ks <r) . At step 
S22, the random number u is generated so that 0 < u < r. At 
step S23, coordinates V are calculated by multiplying the 
public key Ks x G by the u. The scalar multiplication on the 
elliptic curve has been explained at step S4 in Fig. 11, and 
description thereof is thus omitted. At step S24, the X 
coordinate of the V is multiplied by the Mx and then divided 
by the p to determine a remainder X0 . At step S25, the Y 
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coordinate of the V is multiplied by the My and then divided 
by the p to determine a remainder YO . If the length of the 
message is smaller than the number of the bits, the My 
comprises a random number, and the decryption section discards 
it. At step S26, u x G is calculated and at step S27 , an 
encrypted text u x G, (XO, YO) is obtained. 
Decryption Process Using Elliptic Curve Cryptography 

[0425] Next, decryption using the elliptic curve 

crypt ogr ahy cryptography will be described with reference to 
Fig. 17. At step S31, the following definitions are set^H — a? 
Reference symbols u x G and (XO, YO) denote encrypted text 

data^ ^ Reference symbol p denotes a characteristic^ a? 

Reference symbols a and b denote elliptic curve coefficients 

(elliptic curve: y 2 = x 3 + ax + b)^ 7 — ^ Reference symbol G 

denotes a base point on the elliptic curve^ f Reference 

symbol r denotes the digit of G^-, — aftd — g R eference symbol Ks 
denotes a secret key (0 < Ks <r) . At step S32, the encrypted 
data u x G are multiplied by a value corresponding to the 
secret key Ks to determine coordinates V (Xv, Yv) . At step S33, 
the X coordinate of (XO, YO) is taken out from the encrypted 
data and XI = XO / Xv mod p is calculated. At step S34, the Y 
coordinate is taken out and Yl = YO / Yv mod p is calculated. 
At step S35, XI is determined to be Mx and Yl is determined to 
be My to obtain a message. At this point, if the My is not 
used for the message, Yl is discarded. 

[0426] In this manner, when the secret key is Ks, the 

public key is G, and Ks x G is calculated, the key used for 
encryption and the key used for decryption may be different. 
[0427] Another known example of the public key cryptography 

is the RSA, but detailed description thereof is omitted 
(details thereof are described in PKCS #1 Version 2) . 
Random Number Generating Process 

[0428] Next, a method for generating a random number will 

be explained. Known random-number generating methods include 
an intrinsic random-number generating method that amplifies 
thermal noise to generate a random number from the resulting 
A/D output and a pseudo random-number generating method that 
combines together a plurality of linear circuits such as M 
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sequences. A method is also known which uses common key 
cryptography such as the DES. In this example, the pseudo 
random-number generating method using the DES will be 
described (ANSI X9.17 base). 

[0429] First, the value of 64 bits (for a smaller number of 

bits, higher bits are set to 0) obtained from data such as 
time is defined as D, key information used for the Triple-DES 
is defined as Kr, and a seed for generating a random number is 
defined as S. Then, the random number R is calculated as 
follows : 

I=Triple-DES (Kr, D) (2-1) 

I=Triple-DES (Kr, S*I) (2-2) 

I=Triple-DES (Kr, R*I) (2-3) 

[0430] In this case, Triple-DES () is a function that uses a 

first argument as cryptography key information and that 
encrypts the value of a second argument based on the Triple- 
DES. The operation * is an exclusive OR executed every 64 bits 
The last value S is updated as a new seed. 

[0431] If random numbers are continuously generated, 

Equations (2-2) and (2-3) are repeated. 

[0432] The aspects of various cryptography processes 

applicable to the data processing apparatus according to the 
present invention have been described. Next, specific 

processes executed in the present data processing apparatus 
will be described in detail. 

(4) Configuration of Data Stored in Recording and Reproducing 
Device 

[0433] Fig. 18 is a view useful — i« — cxplaining illust rating 

the contents of data held in the internal memory 307 
configured in the recording and reproducing device 
cryptography process section 302 of the recording and 
reproducing device 300 shown in Fig. 3. 

[0434] As shown in Fig. 18, the internal memory 307 stores 
the following keys and data: 
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MKake: recording device authenticating master key for 
generating an authentication and key exchange key (hereafter 
referred to as "Kake") required for a mutual authentication 
process executed between the recording and reproducing device 
300 and recording device 400 (see Fig. 3) . 

IVake: initial value for the recording device 
authenticating key. 

MKdis: master key for a distribution key for generating a 
distribution key Kdis. 

IVdis : distribution-key-generating initial value. 

Kicva: integrity-check- value-A-generating key for 
generating the integrity check value ICVa. 

Kicvb: integrity-check-value-B-generating key for 

generating the integrity check value ICVb. 

Kicvc : content-integrity-check-value-generating key for 
generating the integrity check value ICVi (i=l to N) for each 
content block. 

Kicvt: total-integrity check value-generating key for 
generating the total integrity check value ICVt. 

Ksys: system signature key used to add a common signature 
or ICV to a distribution system. 

Kdev: recording and reproducing device signature key that 
varies depending on recording and reproducing device and that 
is used by the recording and reproducing device to add a 
signature or ICV. 

IVmem: initial value that is used for a cryptography 
process for mutual authentication, or the like. This is shared 
by the recording device. 

[0435] These keys and data are stored in the internal 

memory 307 configured in the recording and reproducing device 
cryptography process section 302. 

(5) Configuration of Data Stored in Recording Device 
[0436] Fig. 19 is a view showing how data are held on the 

recording device 400 . In this figure, the internal memory 405 
is divided into a plurality of (in this example, N) blocks 
each storing the following keys and data: 
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IDmen: recording device identification information that 
is unique to the recording device 400 . 

Kake: authentication key that is used for mutual 
authentication with the recording and reproducing device 300. 

IVmem: initial value that is used for a cryptography 
process for mutual authentication, or the like. 

Kstr: storage key that is a cryptography key for the 
block information table and other content data. 

Kr : random number generating key. 

S: seed. 

[0437] These data are each held in the corresponding block. 

An external memory 402 holds a plurality of (in this example, 
M) content data^ — i I t holds the data described in Fig. 4 as 
shown, for example, in Fig. 2 6 or 27. The difference in 
configuration between Figs. 26 and 27 will be described later. 

(6) Mutual Authentication Process bBetween ^Recording and 
-^Reproducing dDevice and ^Recording dDevice 
(6-1) Outline of Mutual Authentication Process 

[0438] Fig. 20 is a flow chart showing illust rating a 

procedure for an authentication between the recording and 
reproducing device 300 and the recording device 400. At step 

541, the user inserted the recording device 400 into the 
recording and reproducing device 300. If, however, the 
recording device 400 is capable of communication in a non- 
contact manner, it need not be inserted thereinto. 

[0439] When the recording device 400 is set in the 
recording and reproducing device 300, a recording device 
detecting means (not shown) in the recording and reproducing 
device 300 shown in Fig. 3 notifies the control section 301 
that the recording device 400 has been installed. Then at step 

542, the control section 301 of the recording and reproducing 
device 300 transmits an initialization command to the 
recording device 400 via the recording device controller 303. 
On receiving the command, the recording device 400 causes the 
control section 403 of the recording device cryptography 
process section 401 to receive the command via the 
communication section 404 and clear an authentication 
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completion flag if it has been set. That is, an 

unauthenticated state is set. 

[0440] Then at step S43, the control section 301 of the 
recording and reproducing device 300 transmits an 
initialization command to the recording and reproducing device 
cryptography process section 302. At this point, it also 
transmits a recording device insertion port number. When the 
recording device insertion port number is transmitted, even if 
a plurality of recording devices 400 are connected to the 
recording and reproducing device 300, the recording and 
reproducing device 300 can simultaneously execute 
authentication with these recording devices 400 and transmit 
and receive data thereto and therefrom. 

[0441] On receiving the initialization command, the 

recording and reproducing device cryptography process section 
302 of the recording and reproducing device 300 causes the 
control section 306 thereof to clear the authentication 
complete flag corresponding to the recording device insertion 
port number if it has been set. That is, the unauthenticated 
state is set. 

[0442] Then at step S44, the control section 301 of the 

recording and reproducing device 300 specifies a key block 
number used by the recording device cryptography process 
section 401 of the recording device 400. Details of the key 
block number will be described later. At step S45, the control 
section 301 of the recording and reproducing device 300 reads 
out the recording device identification information IDmem 
stored in the specified key block in the internal memory 405 
of the recording device 400. At step S46, the control section 

301 of the recording and reproducing device 300 transmits the 
recording device identification information IDmem to the 
recording and reproducing device cryptography process section 

302 to generate the authentication key Kake based on the 
recording device identification information IDmem. The 
authentication key Kake is generated, for example, as follows: 

Kake=DES (MKake, IDmem*IVake ) (3) 
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[0443] In this case, the MKake denotes the master key for 

the recording device authentication key used to generate the 
authentication key Kake required for the mutual authentication 
process executed between the recording and reproducing device 
300 and the recording device 400 (see Fig. 3)^7 — T he master 
key bcing can be stored in the internal memory 307 of the 
recording and reproducing device 300 as described above. 
Additionally, the IDmem denotes the recording device 
identification information unique to the recording device 400. 
Furthermore, the IVake denotes the initial key for the 
recording device authentication key. In addition, in the above 
equation, the DES ( ) denotes a function that uses a first 
argument as cryptography key and that encrypts the value of a 
second argument based on the DES. The operation * denotes an 
exclusive OR executed every 64 bits. 

[0444] If, for example, the DES configuration shown in Fig. 

7 or 8 is applied, the message M shown in Figs. 7 and 8 
corresponds to the recording device identification 
information: IDmem, the key Kl corresponds to the master key 
for the device authentication key: MKake, the initial value IV 
corresponds to the value: IVake, and the output obtained is 
the authentication key Kake. 

[0445] Then at step S47, the mutual authentication process 

and the process for generating the session key Kses are 
carried out. The mutual authentication is executed between the 
encryption/decryption section 308 of the recording and 
reproducing device cryptography process section 302 and the 
encryption/decryption section 406 of the recording device 
cryptography process section 401; the control section 301 of 
the recording and reproducing device 300 mediates therebetween 
[0446] The mutual authentication process can be executed as 

previously described in Fig. 13. In the configuration shown in 

Fig. 13, : t&e A and B correspond to the recording and 

reproducing device 300 and the recording device 400, 
respectively. First, the recording and reproducing device 
cryptography process section 302 of the recording and 
reproducing device 300 generates the random number Rb and 
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transmits the Rb and the recording and reproducing device 
identification information IDdev, which is its own ID, to the 
recording device cryptography process section 401 of the 
recording device 400. The recording and reproducing device 
identification information IDdev is an identifier unique to a 
reproducing device stored in a memory section configured in 
the recording and reproducing device 300. The recording and 
reproducing device identification information IDdev may be 
recorded in the internal memory of the recording and 
reproducing device cryptography process section 302 . 
[0447] On receiving the rado m random number Rb and the 

recording and reproducing device identification information 
IDdev, the recording device cryptography process section 401 
of the recording device 400 generates a new 64-bit random 
number Ra, encrypts the data in the DES CBC mode in the order 
of the Ra, Rb, and recording and reproducing device 
identification information IDdev using the authentication key 
Kake, and returns them to the recording and reproducing device 
cryptography process section 302 of the recording and 
reproducing device 300. For example, according to the DES CBC 
mode process configuration shown in Fig. 7, the Ra, Rb, and 
IDdev correspond to the Ml, M2 , and M3, respectively, and when 
the initial value ^ IV=IVmem, the outputs El, E2, and E3 are 
encrypted texts . 

[0448] On receiving the encrypted texts El, E2, and E3, the 

recording and reproducing device cryptography process section 
302 of the recording and reproducing device 300 decrypts the 
received data with the authentication key Kake. To decrypt the 
received data, the encrypted text El is first decrypted with 
the key Kake and the result and the IVmem are exclusive-ORed 
to obtain the random number Ra . Then, the encrypted text E2 is 
decrypted with the key Kake, and the result and the El are 
exclusive-ORed to obtain the Rb . Finally, the encrypted text 
E3 is decrypted with the key Kake, and the result and the E2 
are exclusive-ORed to obtain the recording and reproducing 
device identification information IDdev. Of the Ra, Rb, and 
recording and reproducing device identification information 
IDdev thus obtained, the Rb and recording and reproducing 
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device identification information IDdev are checked for 
equality to those transmitted by the recording and reproducing 
device 300. If they are successfully verified, the recording 
and reproducing device cryptography process section 302 of the 
recording and reproducing device 300 authenticates the 
recording device 400. 

[0449] Then, the recording and reproducing device 
cryptography process section 302 of the recording and 
reproducing device 300 generates a session key (hereafter 
referred to as "Kses") used after the authentication^ 
( this Kses is generated using a random number-)-. The Rb, Ra, and 
Kses are encrypted in the DES CBC mode in this order using the 
key Kake and the initial value IVmem and then returned to the 
recording device cryptography process section 401 of the 
recording device 400. 

[0450] On receiving the data, the recording device 
cryptography process section 401 of the recording device 400 
decrypts the received data with the key -Kake. The method for 
decrypting the received data is similar to that executed by 
the recording and reproducing device cryptography process 
section 302 of the recording and reproducing device 300, so 
detailed description thereof is omitted. Of the Ra , Rb, and 
Kses thus obtained, the Rb and Ra are checked for equality to 
those transmitted by the recording device 400. If they are 
successfully verified, the recording device cryptography 
process section 401 of the recording device 400 authenticates 
the recording and reproducing device 300. After these devices 
have authenticated each other, the session key Kses is used as 
a common key for secret communication after the authentication 
[0451] If illegality or inequality is found during the 

verification of the received data, the mutual authentication 
is considered to have failed and the process is aborted. 
[0452] If the mutual authentication has been successful, 

the process proceeds from step S48 to step S49 where the 
recording and reproducing device cryptography process section 
302 of the recording and reproducing device 300 holds the 
session key Kses and where the authentication complete flag is 
set, indicating that the mutual authentication has been 
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completed. Additionally, if the mutual authentication has 
failed, the process proceeds to step S50, the session key Kses 
is discarded and the authentication complete flag is cleared. 
If the flag has already been cleared, the clearing process is 
not necessarily required. 

[0453] If the recording device 400 is removed from the 

recording device insertion port, the recording device 
detecting means in the recording and reproducing device 300 
notifies the control section 301 of the recording and 
reproducing device 300 that the recording device 400 has been 
removed. In response to this, the control section 301 of the 
recording and reproducing device 300 commands the recording 
and reproducing device cryptography process section 302 of the 
recording and reproducing device 300 to clear the 
authentication complete flag corresponding to the recording 
device insertion port number. In response to this, the 
recording and reproducing device cryptography process section 
302 of the recording and reproducing device 300 clears the 
authentication complete flag corresponding to the recording 
device insertion port number. 

[0454] The example has been described where the mutual 

authentication process is executed in accordance with the 
procedure shown in Fig. 13, but the present invention is not 
limited to the above described example of authentication 
process^ — b*rt — T he process may be executed, for example, in 
accordance with the above described mutual authentication 
procedure in Fig. 15. Alternatively, in the procedure shown in 
Fig. 13, ^rhe — A in Fig. 13 may be set as the recording and 
reproducing device 300, t4*e — B may be set as the recording 
device 400, and the ID that the B : recording device 400 first 
delivers to the A: recording and reproducing device 300 may be 
set as the recording device identification information in the 
key block in the recording device 4 00 . Various processes are 
applicable to the authentication process procedure executed in 
the present invention, and the present invention is not 
limited to the above described authentication process. 
( 6-2 ) Switching Key Block drDuring Mutual Authentication 
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[0455] The mutual authentication process in the data 

processing apparatus according to the present invention is 
partly characterized in that the authentication process is 
executed by configuring a plurality of (for example, N) key 
blocks on the recording device 400 side and allowing the 
recording and reproducing device 300 to specify one of them 
(step S44 in the process flow in Fig. 20). As previously 
described in Fig. 19, the internal memory 405 configured in 
the cryptography process section 401 of the recording device 
400 has a plurality of key blocks formed therein which store 
various different data such as key data and ID information. 
The mutual authentication process executed between the 
recording and reproducing device 300 and the recording device 
400 as described in Fig. 20 is carried out on one of the 
plurality of key blocks of the recording device 400 in Fig. 19 
[0456] Conventional configurations for executing a mutual 

authentication process between a recording medium and a 
reproducing device therefor generally use a common 
authentication key for the mutual, authentication. Thus, when 
the authentication key is to be changed for each product 
destination ( e.g., country) or each product, key data required 
for authentication processes for the recording and reproducing 
device side and the recording device side must be changed on 
both devices. Accordingly, key data required for an 

authentication process stored in a newly sold recording and 
reproducing device 300 does not correspond to key data 
required for an authentication process stored in a previously 
sold recording and reproducing device 300 , so the new 

recording and reproducing device 300 cannot access an old 

version of recording device 400 . Qa — contrary, aA similar 

situation occurs in the relationship between a new version of 
recording device 400 and the old version of recording and 
reproducing device 300 . 

[0457] In the data processing apparatus according to the 

present invention, key blocks are stored in the recording 
device 400 as a plurality of different key sets as shown in 
Fig. 19. The recording and reproducing device 300 has a key 
block to be applied to the authentication process^ — t- T hat is, 
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a specified key block set, for example, for each product 
destination ( e.g., country) , product, device type, version, or 
application. This set information is stored in the memory 
section of the recording and reproducing device 300 , for 
example, the internal memory 307 in Fig. 3 or other storage 
elements of the recording and reproducing device 300^7 — aftd It 
is accessed by the control section 301 — w* — Fig . — £ during the 
authentication process to specify a key block in accordance 
therewith . 

[0458] The master key Mkake for the recording device 

authentication key in the internal memory 307 of the recording 
and reproducing device 300 is set in accordance with settings 
for a specified key block and can correspond only to that 

specified key block^-f ±r It does not establish mutual 

authentication with any key blocks other than the specified 
one . 

[0459] As is seen in Fig. 19, the internal memory 405 of 

the recording device 400 has N key blocks (1 to N) set ^ which 
Eeach store recording device identification information, an 
authentication key, an initial value, a storage key, a random- 
number generating key, and a seed^ — e E ach key block stores at 
least authenticating key data as data varying depending on the 
block . 

[0460] In this manner, the key data configuration of the 

key block in the recording device 400 varies depending on the 
block. Thus, for example, a key block with which a certain 
recording and reproducing device A can execute the 
authentication process using the master key MKake for the 
recording device authentication key stored in the internal 
memory can be set as a key block No. 1, and a key block with 
which a recording and reproducing device B with a different 
specification can execute the authentication process can be 
set as another key block, for example, a key block No. 2. 
[0461] Although described later in detail, when a — content 
is stored in the external memory 4 02 of the recording device 
400, the storage key Kstr stored in each key block is used to 
encrypt and store the content. More specifically, the storage 
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key is used to encrypt a content key for encrypting a content 
block . 

[0462] As shown in Fig. 19, the storage key is configured 
as a key that varies depending on the block. Thus, a content 
stored in a memory of a recording device is prevented from 
being shared by two different recording and reproducing 
devices 300 set to specify different key blocks. That is, 
differently set recording and reproducing devices 300 can each 
use only the contents stored in a recording device 400 that is 
compatible with its settings . 

[0463] Data that can be made common to each key block can 

be made so— while, for example, only the authenticating key 
data and the storage key data may vary depending on the key 
block . 

[0464] In a specific example where key blocks comprising a 

plurality of different . key data are configured in the 
recording device 400 , for example, different key block numbers 
to be specified are set for different types of recording and 
reproducing devices 300 ( e.g., an installed type, a portable 
type, and the like) , or different specified key blocks are set 
for different applications. Furthermore, different key blocks 
may be set for different territories^ — £ F or example, the key 
block No. 1 is specified for recording and reproducing devices 
300 sold in Japan, and the key block No. 2 is specified for 
recording and reproducing devices 300 sold in the U.S. With 
such a configuration, a — content that is used in different 
territories and that is stored in each recording device 400 
with a different storage key cannot be used in a recording and 
reproducing device 300 with different key settings even if a 
recording device 400 such as a memory card is transferred from 
the U.S. to Japan or vice versa, thereby preventing the 
illegal or disorderly distribution of the content stored in 
the memory. Specifically, this serves to exclude a state where 
a content key Kcon encrypted with different storage keys Kstr 
can be mutually used in two different countries. 

[0465] Moreover, at least one of the key blocks 1 to N in 
the internal memory 405 of the recording device 400 shown in 
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Fig. 19, _^for example, the No. N key block)_ may be shared by 
any recording and reproducing device 300. 

[0466] For example, when the key block No. N and the master 

key MKake for the recording device authentication key, J^which 
is capable of authentication^, are stored in all apparatuses, 
contents can be distributed irrespective of the type of the 
recording and reproducing device 300, the type of the 
application, or the dcotincd destination country. For example, 
aft — encrypted content stored in a memory card with the storage 
key stored in the key block No. N can be used in any 
apparatuses. — example, — mMusic data or the like can be 
decrypted and reproduced from a memory card by encrypting the 
data with the storage key in a shared key block, storing them 
in the memory card, and setting the memory card in, for 
example, a portable sound reproducing device storing the 
master key MKake for the recording device authentication key, 
which is also shared. 

[0467] Fig. 21 shows an example of the usage of the 

recording device of the present data processing apparatus, 
which has a plurality of key blocks. For instance, a A 
recording and reproducing device 2101 is a product sold in 
Japan and has a master key that establishes an authentication 
process with the key blocks No. 1 and No. 4 in the recording 
device. A recording and reproducing device 2102 is a product 
sold in the U.S. and has a master key that establishes an 
authentication process with the key blocks No. 2 and No. 4 in 
the recording device. A recording and reproducing device 2103 
is a product sold in the EU and has a master key that 
establishes an authentication process with the key blocks No. 
3 and No. 4 in the recording device. 

[0468] For example, the recording and reproducing device 
2101 establishes authentication with the key block 1 or 4 in 
the recording device A 2104 to store, in the external memory, 
contents- encrypted via the storage key stored in that key 
block. The recording and reproducing device 2102 establishes 
authentication with the key block 2 or 4 in the recording 
device B 2105 to store, in the external memory, contents 
encrypted via the storage key stored in that key block. The 
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recording and reproducing device 2103 establishes 
authentication with the key block 3 or 4 in the recording 
device C 2106 to store, in the external memory, contents 
encrypted via the storage key stored in that key block. Then, 
if the recording device A 2104 is installed in the recording 
and reproducing device 2102 or 2103, a — content encrypted with 
the storage key in the key block 1 is unavailable because 
authentication is not established between the recording and 
reproducing device 2102 or 2103 and the key block 1. On the 
other hand, a — content encrypted with the storage key in the 
key block 4 is available because authentication is established 
between the recording and reproducing device 2102 or 2103 and 
the key block 4 . 

[0469] As described above, in the data processing apparatus 
according to the present invention, the key blocks comprising 
the plurality of different key sets are configured in the 
recording device 400 , while the recording and reproducing 
device 300 stores the master key enabling authentication for a 
particular key block, thereby enabling the setting of 
restrictions on the use — e^— contents use depending — on different 
use — form . 

[0470] Moreover, a plurality of key blocks, for example, 1 
to k may be specified in one recording and reproducing device 
300 , while a plurality of key blocks p and q may be specified 
in the other recording and reproducing devices 300 . 
Additionally, a plurality of sharable key blocks may be 
provided . 

(7) Process for Downloading from Recording and Reproducing 
Device to Recording Device 

[0471] Next, a process for downloading a — content from the 
recording and reproducing device 300 to the external memory of 
the recording device 400 in the present data processing 
apparatus will be explained. 

[0472] Fig. 22 is a flow chart useful ift 

cxplaining il lust rating a procedure for downloading a content 
from the recording and reproducing device 300 to the recording 
device 400. In this figure, the above described mutual 
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authentication process is assumed to have been completed 
between the recording and reproducing device 300 and the 
recording device 400. 

[0473] At step S51, the control section 301 of the 
recording and reproducing device 300 uses the read section 304 
to read data of a predetermined format out from the medium 500 
storing contents or uses the communication section 305 to 
receive data from the communication means 600 in accordance 
with a predetermined format. Then, the control section 301 of 
the recording and reproducing device 300 transmits the header 
section (see Fig. 4) of the data to the recording and 
reproducing device cryptography process section 302 of the 
recording and reproducing device 300. 

[0474] Next, at step S52, the control section 306 of the 
recording and reproducing device cryptography process section 
302, which has received the header at step S51, causes the 
encryption/decryption section 308 of the recording " and 
reproducing device cryptography process section 302 to 
calculate the ICVa intcgrity — check — value — A. The ICVa intcgrity 

chock — value A is calculated in accordance with the ICV 

calculation method described in Fig. 7, using as a key the 
integrity-check-value-A-generating key Kicva stored in the 
internal memory 307 of the recording and reproducing device 
cryptography process section 302 and using the content ID and 
the usage policy as a message, as shown in Fig. 23. The 
initial value may be IV = 0 or may be the integrity-check- 
value-A-generating initial value IVa may be used which is 
stored in the internal memory 307 of the recording and 
reproducing device cryptography process section 302. Finally, 
the integrity check value A and the check value: ICVa stored 
in the header are compared together, and if they are equal, 
the process proceeds to step S53. 

[0475] As previously described in Fig. 4, the check value A, 

ICVa_j_ is used to verify that the content ID and the usage 
policy have not been tampered with . If the integrity check 
value A calculated in accordance with the ICV calculation 
method described in Fig. 7— equals the check value ICVa stored 
in the header, it is determined that the content ID and the 
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usage policy have not been tampered with, using — as — a — key — the 

integrity - check - value - A - gene rating key — Kicva stored i-n the 

internal — memory — 3^3-7 — ef — the — recording — a**d — reproducing — device 
cryptography — process — section — 3-02 — and — using — the — content — i-B — and 
the — usage — policy — a-s — a — message , — equals — the — check — value : — ICVa 
stored in the header, — it — is — determined that the — content — ID and 
the — usage — policy — have — net — been — tamp e red. The integrity check 
value A from one method in Fig. 7 uses, as a key, the 
integrity-check-value-A-generating key Kicva stored in the 
internal memory 307. It uses the content ID and the usage 
policy as a message. 

[0476] Next, at step S53, the control section 306 of the 
recording and reproducing device cryptography process section 
302 causes the encryption/decryption section 308 of the 
recording and reproducing device cryptography process section 
302 to generate the distribution key Kdis. The distribution 
key Kdis is generated, for example, as follows: 

Kdis=DES (MKdis, ContentlD^IVdis ) (4) 

[0477] In this case, the MKdis denotes the master key for 

the distribution key for generating the distribution key Kdis— 

t The master key bcing can be stored in the internal memory 307 

of the recording and reproducing device 300 as described above 
In addition, the content ID is identification information for 
the header section of content data^ 7 — and t T he IVdis denotes 
the initial value for the distribution key. Additionally, in 
the above equation (4) , the DES() denotes a function that uses 
a first argument as cryptography key and that encrypts the 
value of a second argument. The operation * denotes an 
exclusive OR executed every 64 bits. 

[0478] At step S54, the control section 306 of the 

recording and reproducing device cryptography process section 
302 uses the encryption/decryption section 308 of the 
recording — and — reproducing — device cryptography process section 
302_^_ as well as the distribution key Kdis generated at step 
S53, to decrypt the block information table key Kbit and 
content key Knon (see Fig. 4) . Kbit and Kdis are stored in the 
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header section of the data obtained from the medium 500 via 
the read section 304 or received from the communication means 
600 via the communication section 305. As shown in Fig. 4, the 
block information table key Kbit and the content key Knon are 
encrypted beforehand with the distribution key Kdis on the 
medium 500/ such as a DVD or CD_^ or on a communication 
path m eans 600 such as the Internet. 

[0479] Further, at step S55, the control section 306 of the 

recording and reproducing device cryptography process section 
302 uses the encryption/decryption section 308 of the 
recording and reproducing device cryptography process section 
302 to decrypt the block information table (BIT) with the 
block information table key Kbit decrypted at step S54. The 
block information table (BIT)^_ as shown in Fig. 4^_ is 
encrypted beforehand with the block information table key Kbit 
on the medium 500 such as the DVD or CD^ or the communication 
path means 600 such as the Internet. 

[0480] Further, at step S56, the control section 306 of the 

recording and reproducing device cryptography process section 
302 divides the block information table key Kbit, the content 
key Kcon, and the block information table (BIT) into 8-byte 
pieces, which are all exclusive-ORed (any operation such as an 
addition or subtraction may be used) . Next, the control 
section 306 of the recording and reproducing device 
cryptography process section 302 causes the 

encryption/decryption section 308 of the recording and 
reproducing device cryptography process section 302 to 
calculate the integrity check value B (ICVb). The 
ICVb intogrity — check valu e — B is generated by using as a key the 
integrity-check-value-B-generating key Kicvb stored in the 
internal memory 307 of the recording and reproducing device 
cryptography process section 302^7 — This is done to decrypt 
the previously calculated exclusive-ORed value based on the 
DES, as shown in Fig. 24. Finally, the integrity check value B 
and the ICVb in the header are compared together, and if they 
are equal, the process proceeds to step S57 . 

[0481] As previously described in Fig. 4, the check value B, 
ICVb is used to verify that the block information table key 
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Kbit, the content key Kcon, and the block information table 
(BIT) have not been tampered with . If the integrity check 
value B generated by using as — a — key the — into grity - check - value 
B - g c ncrating — key — Kicvb — stored — if* — the — internal — memory — 3-0-7 — e-£ 

the recording a-Rd reproducing device cryptography process 

section — 302 , — dividing — the — block — information — table — key — Kbit, 
the — content — key — Kcon, — a-nd — the — block — information — table — (BIT) 
into — 8 - byte — pieces , — cxclusivc - Oring — those — data, — and encrypting 
the — exclusive - ORcd — data — based — or — the — DES, — equals the check 
valuer ICVb stored in the header, it is determined that the 
block information table key Kbit, the content key Kcon, and 
the block information table have not been tampered with . The 
integrity check value B is generated by using, as a key, the 
integrity-check-value-B-generating key Kicvb stored in the 
internal memory 307, dividing the block information table key 
Kbit, the content key Kcon, and the block information table 
(BIT) into 8-byte pieces; exclusive-Oring these data; and 
encrypting the exclusive-Ored data based on the DES. 
[0482] At step S57, the control section 306 of the 
recording and reproducing device cryptography process section 
302 causes the encryption/decryption section 308 of the 
recording and reproducing device cryptography process section 
302 to calculate an intermediate integrity check value. The 
intermediate value is calculated in accordance with the ICV 
calculation method described in Fig. 7. — This is done using 
as — a — key the total-integrity-check-value generating key Kicvt 
as a key. The key is stored in the internal memory 307 of the 
recording and reproducing device cryptography process section 
302, and using and uses the integrity check values A and B and 
all the held content integrity check values as a message. The 
initial value may be IV=0 or the total-integrity-check-value- 
generating initial value IVt may be used . IVt which is stored 
in the internal memory 307 of the recording and reproducing 
device cryptography process section 302. Additionally, the 
intermediate integrity check value generated is stored in the 
recording and reproducing device cryptography process section 
302 of the recording and reproducing device 300^_ as required. 
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[0483] This intermediate integrity check value is generated 
using the integrity check values A and B and all the content 
integrity check values as a message^ — a-ftd — d D ata verified by 
each of these integrity check values may be verified by 
collating them with the intermediate integrity check value. In 
this embodiment, however, a plurality of different integrity 
check valuesT — that — ±s-, — total — integrity — check — values — ICVt — a**d 
the check value ICVdcv unique to the — recording and reproducing 

device 3-0-0- can be separately generated based on the 

intermediate integrity check value_ L _ This is done so that the 
process for verifying the absence of tamper which process is 
executed for shared data for the entire system and the 
verification process for identifying occupied data occupied 
only by each recording and reproducing device 300 after the 
download process can be distinguishably executed. The 
plurality of different integrity check values are, for 
instance, total integrity check values ICVt and the check 
value ICVdev unique to the recording and reproducing device 
300. These integrity check values will be described later. 
[0484] The control section 306 of the recording and 
reproducing device cryptography process section 302 causes the 
encryption/decryption section 308 of the recording and 
reproducing device cryptography process section 302 to 
calculate the total integrity check value ICVt. The total 
integrity check value ICVt is generated by using as a key a 
system signature key Ksys to decrypt the intermediate 
integrity check value based on the PES. Ksys can be stored in 
the internal memory 307 of the recording and reproducing 

device cryptography process section 302^7 fee decrypt the- 

intermediate integrity check value based on the DES . Finally, 
the total integrity check value ICVt generated and the ICVt in 
the header stored at step S51 are compared together, and if 
they are equal, the process proceeds to step S58. The system 
signature key Ksys is common to a plurality of recording and 
reproducing devices 300 , that is, the entire system executing 
the process of recording and reproducing certain data. 
[0485] As previously described in Fig. 4, the total 
integrity check value ICVt is used to verify that all of the 
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integrity check values ICVa and ICVb and the integrity check 
value for each content block have not been tampered with . Thus, 
if the total integrity check value generated by means of the 
above- — described process equals the integrity check value-s- 
ICVt, stored in the Mheader^ it is determined that all of the 
integrity check values ICVa and ICVb and the integrity check 
value for each content block have not been tampered with . 
[0486] Then at step S58, the control section 301 of the 

recording and reproducing device 300 takes content block 
information out from the block information table (BIT) and 
checks whether any content block is to be verified. If any 
content block is to be verified, the content integrity check 
value has been stored in the block information in the header. 
[0487] If any content block is to be verified, the control 

section 301 reads this content block out from the medium 500 
by using the read section 304 of the recording and reproducing 
device 300 or received from communicating means 600 by using 
the communication section 305 of the recording and reproducing 
device 300^ 7 — em-d Control section 301 transmits the content 
block to the recording and reproducing device cryptography 
process section 302 of the recording and reproducing device 
300. On receiving the content block, the control section 306 
of the recording and reproducing device cryptography process 
section 302 causes the encryption/decryption section 308 of 
the recording and reproducing device cryptography process 
section 302 to calculate the content intermediate value. 
[0488] The content intermediate value is generated by using 
the content key Kcon decrypted at step S54 to decrypt an input 
content block in the DES CBC mode, separating the resulting 
data into 8-byte pieces, and exclusive-ORing all these pieces 
(any operation such as an addition or subtraction may be used) . 
[0489] Then, the control section 306 of the recording and 

reproducing device cryptography process section 302 causes the 
encryption/decryption section 308 of the recording and 
reproducing device cryptography process section 302 to 
calculate the content integrity check value. The content 
integrity check value is generated by using as a key the 
content -integrity-check- value-gene rating key Kicvc stored — in 
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th e — internal — memory — 3-9-3 — fcke — recording — and — reproducing 

device cryptography process section 302 , to decrypt the 

content intermediate value based on the DES . Kicvc is stored 
in the internal memory 307 of the recording and reproducing 
device cryptography process section 302. Then, the control 
section 306 of the recording and reproducing device 
cryptography process section 302 compares this content 
integrity check value with the ICV in the content block 
received from the control section 301 of the recording and 
reproducing device 300 at step S51^ 7 — a-r^d It then passes the 
result to the control section 301 of the recording and 
reproducing device 300. On receiving the result^ and if the 
verification has been successful, the control section 301 of 
the recording and reproducing device 300 takes out the next 
content block to be verified and causes the recording and 
reproducing device cryptography process section 302 of the 
recording and reproducing device 300 to verify this content 
block. Similar verification processes are repeated until all 
the content blocks are verified. The initial value may be IV=0 
or the content-integrity-check-value-generating initial value 
IVc used m ay be — used that which is stored in the internal 
memory 307 of the recording and reproducing device 
cryptography process section 302— Jif the header generating 
side uses the same settings_)_. Additionally, all the checked 
content integrity check values are held in the recording and 
reproducing device cryptography process section 302 of the 
recording and reproducing device 300. Furthermore, the 

recording and reproducing device cryptography process section 
302 of the recording and reproducing device 300 monitors the 
order in which the content blocks are verified . This is done 
to consider whether the authentication haste — have failed J_if 
the order is incorrect_)_ or if it — is — caused — fee verif ies y the 
same content block twice or more. If all the content blocks 
have been successfully verified, the process proceeds to step 
S59. 

[0490] Then at step S59, the recording and reproducing 

device cryptography process section 302 of the recording and 
reproducing device 300 causes the encryption/decryption 
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section 308 of the recording and reproducing device 
cryptography process section 302 to encrypt the block 
information table key Kbit and content key Kcon decrypted at 
step S54.7- This is done using the session key Kses made 
sharable during the mutual authentication. The control section 

301 of the recording and reproducing device 300 reads the 
block information table key Kbit and content key Kcon from the 
recording and reproducing device cryptography process section 

302 of the recording and reproducing device 300^ 7 — fe - T he block 
information table key Kbit and content key Kcon being 
decrypted using the session key Kses. The control section 301 
then transmits these data to the recording device 400 via the 
recording device controller 303 of the recording and 
reproducing device 300. 

[0491] Then at step S60, on receiving the block information 
table key Kbit and content key Kcon transmitted from the 
recording and reproducing device 300, the recording device 400 
causes the encryption/decryption section 406 of the recording 
device cryptography process section 401 to decrypt the 
received data using the session key Kses . Kses is made 

sharable during the mutual authentication^ a**4 fee 

Encryption/decryption section 406 reencrypts the decrypted 
data with the storage key Kstr , which is unique to the 
recording device which and is stored in the internal memory 405 
of the recording device cryptography process 401. Finally, the 
control section 301 of the recording and reproducing device 
300 reads the block information key Kbit and the content key 
Kcon out from the recording device 400 via the recording 
device controller 303 of the recording and reproducing device 
300^7 — t T he block information key Kbit and the content key 
Kcon boing can be reencrypted with the storage key Kstr. These 
are then substituted with the block information key Kbit and 
content key Kcon encrypted with the distribution key Kdis . 
[0492] At step S61, the control section 301 of the 
recording and reproducing device 300 takes the localization 
field out from the usage policy in the header section of the 
data to determine whether the downloaded content can be used 
only in this recording and reproducing device 300 (in this 
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case, the localization field is set to 1) or also by other 
similar recording and reproducing devices 300 (in this case, 
the localization field is set to 0) . If the result of the 
determination shows that the localization field is set to 1, 
the process proceeds to step S62. 

[0493] At step S62, the control section 301 of the 
recording and reproducing device 300 causes the recording and 
reproducing device cryptography process section 302 of the 
recording and reproducing device 300 to calculate the 
integrity check value unique to the recording and reproducing 
device 300 . The integrity check value unique to the recording 
and reproducing device 300 is generated by using as a key a 
recording and reproducing device signature key Kdev — stored — 3rH 

the — internal — memory — 3^7 e-f — the recording — a**d — reproducing 

device cryptography process section 302 , to decrypt the 

intermediate integrity check value based on the DES, the 
intermediate integrity check value being held at step S58 . 
Kdev is stored in the internal memory 307. The calculated 
integrity check value ICVdev unique to the recording and 
reproducing device 300 substitutes for the total integrity 
check value ICVt. 

[0494] As previously described, the system signature key 

Ksys is used to add a common signature^ or ICV_^_ to the 

distribution syste m. a**d — tThe recording and reproducing 

device 300 signature key Kdev varies depending on the 
recording and reproducing device 300 and is used by the 
recording and reproducing device to add a signature or ICV. 
That is, data signed with the system signature key Ksys are 
successfully checked by a system (recording and reproducing 
device 300 ) having the same system signature key^ — that — i-s 
Specifically , such data have the same total integrity check 
value ICVt so as to be sharable. If, however, data a^eeis 
signed with the recording and reproducing device signature key 
Kdev 7 — since — this — signature — key — i-s — unique — fee — the — recording — and 

reproducing — device, the — data — signed — with — the — recording — a**d 

reproducing — device o ignaturc key — Kdev, that — is , the data 

stored in a recording device after the signing cannot be 
reproduced if an attempt is made to reproduce it them after 
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this recording device has been inserted in another recording 
and reproducing device 300 -^. ^That is, an error occurs due to 
the unequal integrity check values ICVdev unique to the 
recording and reproducing device 300 . 

[0495] Thus, in the data processing apparatus according to 

the present invention, the setting of the localization field 
enables contents to be arbitrarily set so as to be shared 
throughout the entire system or used only by particular 
recording and reproducing devices 300 . 

[0496] At step S63, the control section 301 of the 
recording and reproducing device 300 stores the content in the 
external memory 402 of the recording device 400. 

[0497] Fig. 2 6 is a view showing how the content is stored 

in the recording device 400 if the localization field is set 
to 0. Fig. 27 is a view showing how the content is stored in 
the recording device 400 if the localization field is set to 1. 
Only — feThe only difference between Figs. 2 6 and 4 is whether 
the content block information key Kbit and the content key 
Kcon are encrypted with the distribution key Kdis or the 
storage key Kstr. The difference between Figs. 27 and 2 6 is 
that the integrity check value calculated from the 
intermediate integrity check value is encrypted with the 
system signature key Ksys in Fig. 26, whereas it is encrypted 
with the recording and reproducing device signature key Kdev 
unique to the recording and reproducing device 300 in Fig. 27. 
[0498] In the process flow insrof Fig. 22, if the 

verification of the integrity check value A has failed at step 
S52, if the verification of the integrity check value B has 
failed at step S56, if the verification of the total integrity 
check value ICVt has failed at step S57, or if the 
verification of the content block content integrity check 
value has failed at step S58, then the process proceeds to 
step S64 to provide a predetermined error display because the 
verification is no good . 

[0499] In addition, if the localization field is 0 at step 

S61, the process skips step S62 to advance to step S63. 
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(8) Process Executed by Recording and Reproducing Device to 
Reproduce Information Stored in Recording Device 

[0500] Next, a process executed by the recording and 
reproducing device 300 to reproduce content information stored 
in the external memory 402 of the recording device 400 is 
analyzed . 

[0501] Fig. 28 i-s a— flow chart useful 

cxplaining illust rates a procedure executed by the recording 
and reproducing device 300 to read a — content out from the 
recording device 4 00 — _and use it. In Fig. 28, the mutual 
authentication is assumed to have been completed between the 
recording and reproducing device 300 and the recording device 
400. 

[0502] At step S71, the control section 301 of the 
recording and reproducing device 300 uses the recording device 
controller 303 to read the content out from the external 
memory 402 of the recording device 400. The control section 
301 of the recording and reproducing device 300 then transmits 
the header section of the data to the recording and 
reproducing device cryptography process section 302 of the 
recording and reproducing device 300. Step S72 is similar to 
step S52 described in "(7) Process for Downloading from 
Recording and Reproducing Device to Recording Device^"-? — a A t 
this step, the control section 306 of the recording and 
reproducing device cryptography process section 302, which has 
received the header, causes the encryption/decryption section 
308 of the recording and reproducing device cryptography 
process section 302 to calculate the integrity check value A. 
The integrity check value A is calculated in accordance with 
an ICV calculation method similar to that described in Fig. 7, 
using^_ as a key^ the integrity-check-value-A-generating key 
Kicva and using the content ID and the usage policy as a 
message, as shown in Fig. 23. Kicva can be —stored in the 
internal memory 307 of the recording and reproducing device 
cryptography process section 302^ and using — the — content — ID and 
th e — usage — policy — as — a — message , — a-s — shown — i-R — the — previously 
described Fig. — 2-3^ — 
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[0503] As previously described, the check value A, ICVa^ is 
used to verify that the content ID and the usage policy have 
not been tampered with . If the integrity check value A 
calculated in accordance with the ICV calculation method 
described in Fig. 1-, — using as — a — key the — int cgrity - check - value - 
A - gonorating — key — Kicva — stored — i-n — t-he — internal — memory — 3-&-3 — 

the recording and reproducing device cryptography — process 

section 302 and using the content ID and the usage policy as a 
message, equals the check valuer ICVa stored in the header, it 
is determined that the content ID and usage policy stored in 
the recording device 400 have not been tampered with . 
Integrity check value A is calculated using, as a key, the 
integrity-check-value-A-generating key Kicva stored in the 
internal memory 307 and using the content ID and the usage 
policy as a message. 

[0504] Then at step S73, the control section 301 of the 

recording and reproducing device 300 takes the block 
information table key Kbit and the content key Kcon out from 
the read-out header section, and It then transmits them to the 
recording device 400 via the recording device controller 303 
of the recording and reproducing device 300. On receiving the 
block information table key Kbit and the content key Kcon 
transmitted from the recording and reproducing device 300, the 
recording device 400 causes the encryption/decryption section 
406 of the recording device cryptography process section 401 
to decrypt the received data with the storage key Kstr_^ unique 
t-e — the — recording device — which — ±s — stor e d — 3rn — the — internal memory 
4-0-5 — e-f — the — recording — devic e — cryptography — process — 4-9-i and to 
then reencrypt the decrypted data using the session key Kses 
made sharable during the mutual authentication. Kstr is unique 
to the recording device which is stored in the internal memory 
405 . Then, the control section 301 of the recording and 
reproducing device 300 reads the block information key Kbit 
and the content key Kcon out from the recording device 400 via 
the recording device controller 303 of the recording and 
reproducing device 300^_t — t T he block information key Kbit and 
the content key Kcon bcing can be reencrypted with the session 
key Kses from the recording device 400. 
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[0505] Then at step S74, the control section 301 of the 

recording and reproducing device 300 transmits the received 
block information key Kbit and content key Kcon to the 
recording and reproducing device cryptography process section 
302 of the recording and reproducing device 300^7 — T he block 
information key Kbit and content key Kcon boing can be 
reencrypted with the session key Kses . 

[0506] On receiving the block information key Kbit and 

content key Kcon reencrypted with the session key Kses, the 
recording and reproducing device cryptography process section 
302 of the recording and reproducing device 300 causes the 
encryption/decryption section 308 of the recording and 
reproducing device cryptography process section 302 to decrypt 
the block information key Kbit and content key Kcon encrypted 
with the session key Kses.— This is done using the session key 
Kses made sharable during the mutual authentication. The 
recording and reproducing device cryptography process section 
302 then causes the encryption/decryption section 308 to 
decrypt the block information table received at step Sll^-r 
This is done using the decrypted block information table key 
Kbit . 

[0507] The recording and reproducing device cryptography 

process section 302 of the recording and reproducing device 
300 substitutes the decrypted block information table key Kbit, 
content key Kcon, and block information table BIT with those 
received at step S71 for retention. In addition, the control 
section 301 of the recording and reproducing device 300 reads 
the decrypted block information table BIT out from the 
recording and reproducing device cryptography process section 
302 of the recording and reproducing device 300. 

[0508] At — s-Step S75 is similar to step S56 described in 
"(7) Process for Downloading from Recording and Reproducing 
Device to Recording Device/ 7 - The control section 306 of the 
recording and reproducing device cryptography process section 
302 divides the block information table key Kbit, content key 
Kcon, and block information table (BIT) read out from the 
recording device 400, into 8-byte pieces and then exclusive- 
ORs all of them. The control section 306 of the recording and 
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reproducing device cryptography process section 302 then 
causes the encryption/decryption section 308 of the recording 
and reproducing device cryptography process section 302 to 
calculate the integrity check value B-flCVb-K ICVb Thc integrity 
chock — value — B is generated by using as a key the integrity- 
check-value-B-generating key Kicvb stored in the internal 
memory 307 of the recording and reproducing device 
cryptography process section 302, te — encrypt — the — previously 
calculated — cxclusivc - ORcd value based — e*i — the — DES , — as shown in 
the previously described Fig. 24. This is done to encrypt 

the previously calculated exclusive-Ored value based on the 
DES. Finally, the check value B and the ICVb in the header are 
compared together, and if they are equal, the process proceeds 
to step S76. 

[0509] As previously described, the check value B, ICVb_^_ is 
used to verify that the block information table key Kbit, the 
content key Kcon, and the block information table have not 
been tampered with . If the integrity check value B generated 
by using as a key the integrity-check-value-B-generating key 
Kicvb stored — in the — internal memory — £-£-3 — e# — the — recording — aad 
reproducing — device — cryptography — process — section — 302 , — dividing 
the — block — information — table — key — Kbit, — the — content — key — Kcon, 
and the block information table — (BIT) — read — from the — recording 
device — 4-0-0 — into — 8 - byte — pieces, — exclusive - Or ing — those — data, — and 
encrypting — the — cxcluoivo - ORod — data — based — — the — DES, — equals 
the check valuer ICVb stored in the header of the data read 
out from the recording device 400, it is determined that the 
block information table key Kbit, the content key Kcon, and 
the block information table have not been tampered with . Kicvb 
is stored in the internal memory 307. The block information 
table key Kbit, the content key Kcon, and the block 
information table (BIT) read from the recording device 400 are 
divided into 8-byte pieces. this data is exclusive-Ored. The 
exclusive-Ored data is encrypted based on the DES. 
[0510] At step S76, the control section 306 of the 
recording and reproducing device cryptography process section 
302 causes the encryption/decryption section 308 of the 
recording and reproducing device cryptography process section 
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302 to calculate the intermediate integrity check value. The 
intermediate value is calculated in accordance with the ICV 
calculation method described in Fig. 7 or the like.— This is 
done using as a — key the total -integrity- check- value -gene rating 
key Kicvt stored — if* — the — internal — memory — 34^3 — — the — recording 
end — reproducing — device — cryptography — process — section — — and 
using — the — integrity — check — values — A — and — B — af*d — aii — t-he — hold 
content — integrity — chock — values — as a message. Kicvt is stored 
in the internal memory 307. Kicvt incorporates the integrity 
check values A and B and all the held content integrity check 
values . The initial value may be IV=0 or the total-integrity- 
check-value-generating initial value IVt may be used which — ie 

stored i-n fc-he internal — memory 3-0-7 ef the recording and 

reproducing devic e cryptography process section 3-0-2- . 

Additionally, the intermediate integrity check value generated 
is stored in the recording and reproducing device cryptography 
process section 302 — e-f — the — recording — and — reproducing — devic e 
— ets — required . 

[0511] Then at step S77, the control section 301 of the 

recording and reproducing device 300 takes the localization 
field out from the usage policy _[contained in the header 
section of the data read out from the external memory 402 of 
the recording device 4 00J_, to determine whether the downloaded 
content can be used only in this recording and reproducing 
device 300 (in this case, the localization field is set to 1)_^_ 
or also by other similar recording and reproducing devices 300 

(in this case, the localization field is set to 0) . If the 
result of the determination shows that the localization field 
is set to 1, that is, — it — i-s — set — such — that — the — downloaded 
content — ea-n — be — us e d — only — in — this — recording — a**d — reproducing 
device — 300 , the process proceeds to step S80. A value of 1 
means that it is set such that the downloaded content can be 
used only in this recording and reproducing device 300. If the 
localization is set to 0, — that — irS-, — it — is — set — such — that — the 

content eaR — also — be — used — by — other similar — recording — and: 

■ reproducing device — 300 , then the process proceeds to step S78. 
A value of 0 means that it is set such that the content can 
also be used by other similar recording and reproducing device 
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300. Step S77 may be processed by the cryptography process 
section 302 . 

[0512] At step S78, the total integrity check value ICVt is 
calculated in the same manner as step S58 described in u (7) 
Process for Downloading from Recording and Reproducing Device 
to Recording Device^"- That is, the control section 306 of the 
recording and reproducing device cryptography process section 
302 causes the encryption/decryption section 308 of the 
recording and reproducing device cryptography process section 
302 to calculate the total integrity check value ICVt. The 
total integrity check value ICVt is generated by using ets — a 
•key — a system signature key Ksys as a key to encrypt the 
intermediate integrity check value based on the' PES, as shown 
in Fig. 25. Ksys can be stored in the internal memory 307 of 
the recording and reproducing device cryptography process 

section 302^7 fee — encrypt — feh-e — intermediate integrity — check 

value — bas e d — en — trhe — DES, — as — shown — in — ferh-e — previously — described 
Fig. 25. 

[0513] The, the process proceeds to step S79 to compare the 
total integrity check value ICVt generated at step S78 with 
the ICVt in the header stored at step S71. If the values are 
equal, the process proceeds to step S82. 

[0514] As previously described, the total integrity check 
value ICVt is used to verify that the integrity check values 
ICVa and ICVb and all the content block integrity check values 
have not been tampered with . Thus, if the total integrity 
check value generated by means of the above described process 
equals the integrity check valuer ICVt stored in the header, 
it is determined that the integrity check values ICVa and ICVb 
and all the content block integrity check values have not been 
tampered with in the data stored in the recording device 400. 
[0515] If the result of the determination at step S77 shows 

that the localization field is set such that the downloaded 
content can be used only in this recording and reproducing 
device 300, that is, it is set to 1, the process proceeds to 
step S80. 

[0516] At step S80, the control section 306 of the 
recording and reproducing device cryptography process section 
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302 causes the encryption/decryption section 308 of the 
recording and reproducing device cryptography process section 
302 to calculate the integrity check value ICVdev unique to 
the recording and reproducing device 300 . The integrity check 
value ICVdev unique to the recording and reproducing device 
300 is generated, as shown in the previously described Fig. 25, 
by using a-s — a — key a recording and reproducing device signature 
key Kdev as a key unique — to — the — recording — and — repr o du c ing 
device — stored — in the — internal memory — 3^7 — e£ — the — recording and 

reproducing device cryptography process section 302 , to 

encrypt the intermediate integrity check value based on the 
DES , the intermediate integrity check value being held at step 
S58 . Kdev is unique to the recording and reproducing device, 
and is stored in the internal memory 307. At step S81, the 
check value ICVdev J_unique to the recording and reproducing 
device 300) calculated at step S80 is compared with the ICVdev 
stored at step S71^ 7 — aftd — i I f they are equal, the process 
proceeds to step S82. 

[0517] Thus, data signed with the same system signature key 
Ksys are successfully checked by a system (recording and 
reproducing device 300 ) having the same system signature key^— 

fe That is, such data have the same total integrity check value 

ICVt so as to be sharable . If, however, data a^eis signed with 
the recording and reproducing device signature key Kdev, since 
this — signature — key — i-s — unique — fee — the — r e cording — and — reproducing 

device, the — data — signed — with — the — recording — and — reproducing 

device — signature — key — Kdev, that — i-s-r the data stored in a 

recording device 400 after the signing cannot be reproduced if 
an attempt is made to reproduce them after this recording 
device 400 has been inserted in another recording and 
reproducing device 400- ^.^ t T hat is, an error occurs due to a 
mismatch in the integrity check value ICVdev unique to the 
recording and reproducing device 300 . Accordingly, the setting 
of the localization field enables contents to be arbitrarily 
set so as to be shared throughout the entire system or used 
only by particular recording and reproducing devices 300 . 
[0518] At step S82, the control section 301 of the 
recording and reproducing device 300 takes content block 
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information out from the block information table (BIT) _[read 
out at step S7 4J_ and checks whether any content block is to be 
encrypted. If any content block is to be encrypted, the 
control section 301 reads this content block out from the 
external memory 402 of the recording device 400 via the 
recording device controller 303 of the recording and 
reproducing device 300 . - and It then transmits the content 
block to the recording and reproducing device cryptography 
process section 302 of the recording and reproducing device 
300. On receiving the content block, the control section 306 
of the recording and reproducing device cryptography process 
section 302 causes the encryption/decryption section 308 of 
the recording and reproducing device cryptography process 
section 302 to decrypt the content^ — while The control section 
306 also causesift^ the encryption/decryption section 308 to 
calculate the content integrity check value at step 583^ if 
the content block is to be verified. 

[0519] Step S83 is similar to step S58 described in "(*7) 

Process for Downloading from Recording and Reproducing Device 
to Recording Device/'- The control section 301 of the 
recording and reproducing device 300 takes content block 
information out from the block information table (BIT) and 
determines from the stored content integrity check value 
whether any content block is to be verified. If any content 
block is to be verified, the control section 301 receives this 
content block from the external memory 402 of the recording 
device 400 and transmits it to the recording and reproducing 
device cryptography process section 302 of the recording and 
reproducing device 300. On receiving the content block, the 
control section 306 of the recording and reproducing device 
cryptography process section 302 causes the 

encryption/decryption section 308 of the recording and 
reproducing device cryptography process section 302 to 
calculate the content intermediate value. 

[0520] The content intermediate value is generated by using 

the content key Kcon ^decrypted at step S74J_ to decrypt the 
input content block in the DES CBC mode, separating the 
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resulting data into 8-byte pieces, and exclusive-ORing all 
these pieces . 

[0521] Then, the control section 306 of the recording and 
reproducing device cryptography process section 302 causes the 
encryption/decryption section 308 of the recording and 
reproducing device cryptography process section 302 to 
calculate the content integrity check value. The content 
integrity check value is generated by using as a key the 
con tent- integrity- check- value-genera ting key Kicvc — stored — i-n- 

^e internal — memory — 3-0-3 e£ — fe-he recording — af*d — reproducing 

device cryptography proc e ss section 302 , to encrypt the 

content intermediate value based on the PES. Kicvc is stored 
in the internal memory 307. Then, the control section 306 of 
the recording and reproducing device cryptography process 
section 302 compares this content integrity check value with 
the ICV in the content block received from the control section 

301 of the recording and reproducing device 300 at step S71, 
and passes the result to the control section 301 of the 
recording and reproducing device 300. On receiving the result 
J_and if the verification has been successful^, the control 
section 301 of the recording and reproducing device 300 takes 
out the next content block to be verified, and It causes the 
recording and reproducing device cryptography process section 

302 of the recording and reproducing device 300 to verify this 
content block. Similar verification processes are repeated 
until all the content blocks are verified. The initial value 
may be IV=0 or the content-integrity-check-value-generating 
initial value IVc may be used which is stored in the internal 
memory 307 of the recording and reproducing device 
cryptography process section 302. Additionally, all the 
checked content integrity check values are held in the 
recording and reproducing device cryptography process section 
302 of the recording and reproducing device 300. Furthermore, 
the recording and reproducing device cryptography process 
section 302 of the recording and reproducing device 300 
monitors the order in which the content blocks are verified^ 
This is done to consider the authentication to have failed if 
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the order is incorrect or if it is caused to verify the same 
content block twice or more. 

[0522] The control section 301 of the recording and 

reproducing device 300 receives the result of the comparison 
of the content integrity check value^ — f4r I f no content block 
is to be verified, all the results of comparisons will be 
successfulfr^ and — i- I f the verification has been successful, 
it takes the decrypted content from the recording and 
reproducing device cryptography process section 302 of the 
recording and reproducing device 300. It then takes out next 
content block to be verified and causes the recording and 
reproducing device cryptography process section 302 of the 
recording and reproducing device 300 to decrypt this content 
block. Similar verification processes' are repeated until all 
the content blocks are decrypted. 

[0523] At step S83, if the recording and reproducing device 
cryptography process section 302 of the recording and 
reproducing device 300 determines after the verification 
process that the content integrity check values are not equal, 
it considers the verification to have failed and avoids 
decrypting the remaining contents. In addition, the recording 
and reproducing device cryptography process section 302 of the 
recording and reproducing device 300 monitors the order in 
which the content blocks are decrypted . This is done to 
consider the decryption to have failed if the order is 
incorrect or if it is caused to decrypt the same content block 
twice or more. 

[0524] If the verification of the integrity check value A 

has failed at step S72, if the verification of the integrity 
check value B has failed at step S75, if the verification of 
the total integrity check value ICVt has failed at step S79, 
if the verification of the integrity check value ICVdev unique 
to the recording and reproducing device 300 has failed at step 
S81, or if the verification of the content block content 
integrity check value has failed at step S81, then the process 
proceeds to step S84 to provide a predetermined error display 
because the verification is no good . 
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[0525] As described above, not only important data or 

content can be encrypted, concealed, or checked for tamper ing 
when the content is downloaded or used^ — b^ t This can be done 
even if data on a recording medium are simply copied to 
another recording medium^ — t T he content can be prevented from 
being correctly decrypted because the block information table 
key Kbit J_for decrypting the block information table BIT]_ and 
the content key Kcon J_for decrypting the contentJ_ are stored 
with the storage key Kstr unique to the recording medium. More 
specifically, for example, — at step S74 in Fig. 28, the another 
recording device 400 cannot decrypt the data correctly because 
each recording device 400 decrypts data encrypted with a 
different storage key Kstr. 

(9) Key Exchanging Process after Mutual Authentication 
[0526] The data processing apparatus according to the 

present invention is partly characterized in that the 
recording device 400 can be used only after the above 
described mutual authentication process between the recording 
and reproducing device 300 and the recording device 400_^ and 
also in that the use form of the recording device is limited. 
[0527] For example, to prevent a user from generating a 

recording device 400 such as a memory card L in which a— content 
is stored by means of illegal copying or the like_^ and setting 
this recording device 400 in a recording and reproducing 
device 300 for use, the mutual authentication process is 
executed between the recording and reproducing device 300 and 
the recording device 400 ^ and — (encrypted) — e C ontente (that may 
be encrypted) can be transferred between the recording and 
reproducing device 300 and the recording device 400 only if 
they have been mutually authenticated. 

[0528] To achieve the above restrictive process, according 

to the present data processing apparatus, all the processes in 
the cryptography process section 401 of the recording device 
400 are executed based on preset command strings. That is, the 
recording device 400 has such a command process configuration 
that it sequentially obtains commands from a register based on 
command numbers. Fig. 2 9 is a view i 1 lust rat ing uoof ul — if* 
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explaining the command process configuration of the recording 
device 400 . 

[0529] As shown in Fig. 29, between the recording and 
reproducing device 300 having the recording and reproducing 
device cryptography process section 302 and the recording 
device 400 having the recording device cryptography process 
section 401, command numbers (No.) are output from the 
recording device controller 303 to the communication section 
(including a reception register) 404 of the recording device 
400 under the control of the control section 301 of the 
recording and reproducing device 300. 

[0530] The recording device 400 has a command number 
managing section 2201 — (-2901^=4- in the control section 403 «*of 
the cryptography process section 401. The command number 
managing section 2901 holds a command register 2902^ — t^ 
Command register 2902 stores command strings corresponding to 
command numbers output from the recording and reproducing 
device 300. In the command strings, command numbers 0 to y are 
sequentially associated with execution commands— J_as shown in 
the right of Fig. 29|_. The command number managing section 
2901 monitors command numbers output from the recording and 
reproducing device 300 to take corresponding commands out from 
a command register 2902 for execution. 

[0531] In command sequences stored in the command register 

2902, a command string for an ^authentication process 
sequence^ is associated with the leading command numbers 0 to 
k7 — as — shown — ±& — fcke — right — e£ — Fig . — 2-£. Furthermore, command 
numbers p to s following the command string for the 
authentication process sequence are associated with a 
^decryption, key exchange, and encryption process command 
sequence 1,_^ and the following command numbers u to y are 
associated with a ^decryption, key exchange, and encryption 
process command sequence 2.^_ 

[0532] As previously described for the authentication 
process flow in Fig. 20, when the recording device 400 is 
installed in the recording and reproducing device 300, the 
control section 301 of the recording and reproducing device 
300 transmits an initialization command to the recording 
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device 400 via the recording device controller 303. On 
receiving the command, the recording device 400 causes the 
control section 403 of the recording device cryptography 
process section 401 to receive the command via the 

communication section 404^ a**d It then clears an 

authentication flag 2903. That is, an unauthenticated state is 
set. Alternatively, in such a case that power is supplied from 
the recording and reproducing device 300 to the recording 
device 400, the unauthenticated state -H4 — may be set e ftupon 
power-on . 

[0533] Then, the control section 301 of the recording and 

reproducing device 300 transmits an initialization command to 
the recording and reproducing device cryptography process 
section 302. At this point, it also transmits a recording 
device insertion port number. When the recording device 
insertion port number is transmitted, even if a plurality of 
recording devices 400 are connected to the recording and 
reproducing device 300, the recording and reproducing device 
300 can simultaneously execute authentication with these 
recording devices 400 and transmit and receive data thereto 
and therefrom. 

[0534] On receiving the initialization command, the 

recording and reproducing device cryptography process section 
302 of the recording and reproducing device 300 causes the 
control section thereof to clear the authentication flag 29034 
corresponding to the recording device insertion port number. 
That is, the unauthenticated state is set. 

[0535] Once this initialization process has been completed, 

the control section 301 of the recording and reproducing 
device 300 sequentially outputs command numbers via the 
recording device controller 303 . This is done in an ascending 
order starting with the command number 0. The command number 
managing section 2901 of the recording device 400 monitors the 
command numbers input from the recording and reproducing 
device 300 to ascertain that they are sequentially input 

starting with the command number O^t &&dt It obtains the 

corresponding commands from the command register 2902 to 
execute various processes^ such as the authentication process. 


- 142 - 


If the input command numbers are not in a specified order, an 
error occurs and a command number acceptance value is reset to 
an initial state^ — t - T hat is, an executable command number is 
reset at 0 . 

[0536] In the command sequences stored in the command 

register 2902 — as — shown — ana — Fig . — 2-£, the command numbers are 
imparted so as to carry out the authentication process first^— 
a**d — £ F ollowing this process sequence, decryption — the key 
exchange is decrypted , and an encryption process sequence is 
stored . 

[0537] A specific example of th-e — decryption decrypting the 

key exchange— and the encryption process sequence will be 
explained with reference to Figs. 30 and 31. 

[0538] Fig. 30 shows part of the process executed in 

downloading a — content from the recording and reproducing 
device 300 to the recording device 400 as previously described 
in Fig. 22. Specifically, this process is executed between 
steps 59 and 60 in Fig. 22. 

[0539] In Fig. 30, at step S3001, the recording device 400 

receives data (ex. the block information table Kbit and the 
content key Kcon) encrypted with the session key Kses, from 
the recording and reproducing device 300 . Thereafter, the 
command strings p to s J_shown in the above described Fig. 29J_ 
are started. The command strings p to s are started after the 
authentication process commands 0 to k have been completed to 
cause authentication flags- 2903 and 2904 jshown in Fig. 29_)_ to 
be set to indicate the completion. This is ensured by the 
command number managing section 2901 by accepting the command 
numbers only in the ascending order starting with 0. 

[0540] At step S3002, the recording device stores irn — fe-he 

register — the data (ex. the block information table Kbit and 
the content key Kcon) received from the . recording and 
reproducing device 300 and encrypted with the session key Kses_^_ 
in the register . 

[0541] At step S3003, a process is executed which takes the 
data (ex. the block information table Kbit and the content key 
Kcon) encrypted with the session key Kses— out from the 
register and decrypts them with the session key Kses. 
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[0542] At step S3004, a process is executed which encrypts 
the data (ex. the block information table Kbit and the content 
key Kcon) decrypted with the session key Kses, using the 
storage key Kstr. 

[0543] The above process steps 3002 to 3004 correspond to 

processes included in the command numbers p to s in the 
command register previously described in Fig. 29. These 
processes are sequentially executed by the recording device 
cryptography process section 401 in accordance with the 
command numbers p to s received by the command number managing 
section 2901 of the recording device 400 from the recording 
and reproducing device 300. 

[0544] At the next step S3005, the data (ex. the block 
information table Kbit and the content key Kcon)^_ encrypted 
with the storage key Kstr_^ are stored in the external memory 
of the recording device. At this step, the recording and 
reproducing device 300 may read the data encrypted with the 
storage key Kstr— out from the recording device cryptography 
process section 401 and then stores them in the external 
memory 402 of the recording device 400. 

[0545] The above described steps S3002 to S3004 constitute 

an uninterruptible^ continuously-executed execution sequence^ 
This is done even if, for example, the recording and 
reproducing device 300 issues a data read command at the end 
of the decryption process at step 53003^7 — & S ince this read 
command differs from the command numbers p to s set in the 
command register 2902 in the ascending order, the command 
number managing section 2901 does not accept execution of the 
read command . Accordingly, the decrypted data resulting from 
the key exchange in the recording device 400 cannot be read 
out by an external device, for example, the recording and 
reproducing device 300, thereby preventing key data or 
contents from being illegally read out. 

[0546] Fig. 31 shows part of the content reproducing 

process^ previously described in Fig. 28^ in which a — content 
is read out from the recording device 400 and reproduced by 
the recording and reproducing device 300. Specifically, this 
process is executed at step S73 iftof Fig. 28. 
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[0547] In Fig. 31, at step S3101, the data (ex. the block 

information table Kbit and the content key Kcon)_j_ encrypted 
with the storage key Kstr^_ are read out from the external 
memory 402 of the recording device 400. 

[0548] At step S3102, the data (ex. the block information 
table Kbit and the content key Kcon)_^_ read out from the memory 
of the recording device 400 and encrypted with the storage key 
Kstr_^_ are stored in the register. At this step, the recording 
and reproducing device 300 may read the data encrypted with 
the storage key Kstr— out from the external memory 4 02 of the 
recording device 400 and then store them in the register of 
the recording device 4 00. 

[0549] At step S3103, the data (ex. the block information 
table Kbit and the content key Kcon)^ encrypted with the 
storage key Kstr^ are taken out from the register and 
decrypted with the storage key Kstr. 

[0550] At step S3104, the data (ex. the block information 
table Kbit and the content key Kcon)^ decrypted with the 
storage key Kstr^ are encrypted with the session key Kses. 
[0551] The above process steps 3102 to 3104 correspond to 

processes included in the command numbers u to y in the 
command register previously described in Fig. 29. These 
processes are sequentially executed by the recording device 
cryptography process section 406 in accordance with the 
command numbers u to y received by the command number managing 
section 2901 of the recording device from the recording and 
reproducing device 300. 

[0552] At the next step S3105, the data (ex. the block 
information table Kbit and the content key Kcon) encrypted 
with the session key Kses are transmitted from the recording 
device 400 to the recording and reproducing device 300 . 
[0553] The above described steps S3102 to S3104 constitute 

an uninterruptible continuously-executed execution sequence^t 
This is done even if, for example, the recording and 
reproducing device 300 issues a data read command at the end 
of the decryption process at step S3103_^7 — s - S ince this read 
command differs from the command numbers u to y set in the 
command register 2902 in the ascending order, the command 
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number managing section 2901 does not accept execution of the 
read command . _Accordingly, the decrypted data resulting from 
the key exchange in the recording device 400 cannot be read 
out by an external device, for example, the recording and 
reproducing device 300, thereby preventing key data or 
contents from being illegally read out. 

[0554] For the process shown in Figs. 30 and 31, the 

example is shown where the block information table key Kbit 
and the content key Kcon are decrypted and encrypted by means 
of key exchange^ — but t T hese command sequences^ stored in the 
command register 2902 J^shown in Fig. 29) , may include 
decryption and encryption processes involving key exchanges 
for the content itself. The object to be decrypted or 
encrypted by means of key exchanges is not limited to the 
above— described example . 

[0555] The key exchange process after the mutual 

authentication in the present data processing apparatus has 
been described. Thus, the key exchange process in the present 
data processing apparatus can be carried out only after the 
authentication process between the recording and reproducing 
device 30 0 and the recording device 400 has been completed. 
Further, decrypted data can be prevented from being externally 
accessed during the key exchange process, thereby ensuring the 
improved security of contents and key data. 

(10) Plural Content Data Formats and Download and Reproduction 
Processes Corresponding to Each Format 

[0556] In the above-— described embodiment, for example, the 

data format for the medium 500 or communication means 600 
shown in Fig. 3 is of the type shown in Fig. 4. The data 
format for the medium 500 or the communication means 600 is 
not limited to the one shown in Fig. 4_^_ but preferably depends 
on the contentT — that — is? — whether the — content — is- (e.g., m usic, 
image data, a program such as a game, or the likej_. A 
plurality of data formats as well as processes for downloading 
and reproducing data from and to the recording device 400 will 
be explained. 
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[0557] Figs. 32 to 35 show four different data formats. A 

data format used on the medium 500 or the communication means 
600 J_shown in Fig, 3)_ is shown in the left of each figure, 
while a data format used in storing data in the external 
memory 402 of the recording device 400 is shown in the right 
of each figure. An outline of the data formats shown in Figs. 
32 to 35 will first be provided, and the contents of each data 
in each format and differences among data in each format will 
be explained. 

[0558] Fig. 32 shows a format type 0, which is of the same 

type as that shown as an example in the above description. The 
format type 0 is characterized in that the entire data a^eis 
divided into N data blocks each having an arbitrary size^ — fe 
That is, blocks 1 to N, each of which is arbitrarily encrypted 
so that data can be configured by mixing together encrypted 
blocks and non-encrypted blocks 7 — that — is , (i.e., plain text 
blocks]_. The blocks are encrypted with the content key Kcon, 
which is encrypted with the distribution key Kdis on the 
medium 500 or with the storage key Kstr stored in the internal 
memory 405 of the recording device 400 when it is stored in 
the recording device 400 . The block information key Kbit is 
also encrypted with the distribution key Kdis on the medium 
500 or with the storage key Kstr stored in the internal memory 
405 of the recording device 400 when it is stored in the 
recording device 400 . These key exchanges are carried out in 
accordance with the process described in "(9) Key Exchange 
Process after Mutual Authentication^"— 

[0559] Fig. 33 shows a format type 1, in which the entire 

data €Hreis divided into N data blocks^ — fe T hat is, blocks 1 to 
N, as in the format type 0^_ but which differs- from the format 
type 0 in that the N blocks are all of the same size. The 
aspect of the process for encrypting blocks with the content 
key Kcon is similar to that in the format type 0. Additionally, 
as in the above described format type 0, the content key Kcon 
and the block information table key Kbit are encrypted with 
the distribution key Kdis on the mediu m 500 or with the 
storage key Kstr stored in the internal memory 4 05 of the 
recording device 4 00 when it is stored in the recording device 
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400 . Unlike the format type 0, the format type 1 has a fixed 
block configuration to simplify configuration data such as 
data length for each block, thereby enabling a memory size for 
block information to be reduced compared to the format type 0. 
[0560] In the example — conf iguration shown in Fig. 33, 

each block comprises a set of an encrypted part and a non- 
encrypted (plain text) part. If the length and configuration 
of the block are thus regular, each block length or 
configuration need not be checked during the decryption 
process or the like, thereby enabling efficient decryption and 
encryption processes. In the format 1, the parts constituting 
each block, that — ts-r the encrypted part and the non-encrypted 
(plain text) part_^ can each be defined as an object to be 
checked, so that the content integrity check value ICVi is 
defined for a block containing a part that must be checked. 
[0561] Fig. 34 shows a format type 2.— Format type 2 which 

is characterized in that the data aro is divided into N data 
blocks all having the same size^ 7 — that — i-s-? — b B locks 1 to N— 
are each — &f — which — *r& encrypted with an individual block key 
Kblc. Each block key Kblc is encrypted with the content key 
Kcon^T — which Kcon is encrypted with the distribution key Kdis 
on the medium 500 or with the storage key Kstr stored in the 
internal memory 405 of the recording device 400 when it is 
stored in the recording device 400 . The block information 
table key Kbit is also encrypted with the distribution key 
Kdis on the medium or with the storage key Kstr stored in the 
internal memory of the recording device when it is stored in 
the recording device. 

[0562] Fig. 35 shows a format type 3^7 — which Format type 3 

is characterized in that the data e^eis divided into N data 
blocks all having the same size^ — that — i-s-r — b B locks 1 to N, 
are each e-# — which — is — encrypted with an individual block key 
Kblc, as in the format type 2^ 7 — and in that o E ach block key 
Kblc is encrypted with the distribution key Kdis on the medium 
500 or with the storage key Kstr on the recording device 400 , 
without the use of the content key. . No content key Kcon is 
present on the medium 500 or on the device 400 . The block 
information table key Kbit is encrypted with the distribution 
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key Kdis on the medium 500 or with the storage key Kstr stored 
in the internal memory 405 of the recording device 4 00 when it 
is stored in the recording device 400 . 

[0563] Next, the contents of the data in the above format 
types 0 to 3 will be described. As previously described, the 
data are roughly divided into two sections , that is namely , the 
header section and the content section. The header section 
contains the content ID, the usage policy, the integrity check 
values A and B, the total integrity check value, the block 
information table key, the content key, and the block 
information table . 

[0564] The usage policy stores the data length of a— content, 

its header length, its format type (formats 0 to 3 described 
below), a nd content type indicating whether the content is a 
program or data. 7- It also stores a localization flag_^ — that 
The localization flag determines whether the content can be 
used only by a particular recording and reproducing device 300 
J_as described in the section relating to the processes for 
downloading and reproducing a content to and from the 

recording device 400) . -, a The usage policy also stores a 

permission flag for a content copying or moving process, and 
various localization and process information for the content 
|such as a content encryption algorithm and a modeJ_. 
[0565] The integrity check value A_^-s- ICVa^_ is used to check 

the content ID and the usage policy^ — a-R-d ICVa is generated 
using, for example, the method described in the above^ 
described Fig. 23. 

[0566] The block information table key Kbit is used to 

encrypt a block information table^ — a** d It is encrypted with 

the distribution key Kdis on the mediu m 500 or with the 
storage key Kstr stored in the internal memory 405 of the 
recording device 400 when it is stored in the recording device 
400 , as previously described. 

[0567] The content key Kcon is used to encrypt a — content. 
For the format types 0 and 1, it is encrypted with the 
distribution key Kdis on the medium 500 or with the storage 
key Kstr stored in the internal memory 405 of the recording 
device 400 when it is stored in the recording device 400 , 
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similarly to the block information table key Kbit. For the 
format type 2, the content key Kcon is also used to encrypt 
the block key Kblc configured for each content block. 
Additionally, for the format type 3, no content key Kcon is 
present. 

[0568] The block information table describes information on 
the individual blocks and stores the size of each block and a 
flag indicating whether the block has been encrypted^ — t - T hat 
is, the block information table stores information indicating 
whether or not the block is to be checked (ICV) . If the block 
is to be checked, the block integrity check value ICVi (the 
integrity check value for the block i) is defined and stored 
in the table. This block information table is encrypted with 
the block information table key Kbit. 

[0569] If the block has been encrypted, the block integrity 

check value 7 — that is, J_the content integrity check value ICVi_)_ 
is generated by exclusive-ORing the entire plain text 

(decrypted text) every 8 bytes_^ and then encrypting the 
obtained value with the content-integrity-check-value- 
generating key Kicvc stored in the internal memory 307 of the 
recording — an d — reproducing — device — 300 . Additionally, if the 
block has not been encrypted, the block integrity check value 
is generated by sequentially inputting the entire block data 

(plain text) to a tamper-check-value-generating function shown 
in Fig. 36 (DES-CBC-MAC using the content-integrity-check- 
value-generating key Kicvc) in such a manner that 8 bytes are 
input each time. Fig. 36 shows an example of a configuration 
for generating the content block integrity check value ICVi. 
Each message M constitutes cach a set of 8 bytes of decrypted 
text data or plain text data. 

[0570] For the format type 1, if at least one of the parts 

in the block is data to be processed with the integrity check 
value ICVi, _[that is, a part to be checkedj_, the content 
integrity check value ICVi is defined for that block. An 
integrity check value P-ICVij J_for a part j of a block -il ) is 
generated by exclusive ORing the entire plain text (decrypted 
text) every 8 bytes and then encrypting the obtained data with 
the content-integrity-check-value-generating value Kicvc. In 
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addition, if a part j has not bee encrypted, the integrity 
check value P-ICVij is generated by sequentially inputting the 
entire block data (plain text) to the tamper-check-value- 
generating function shown in Fig. 36 (DES-CBC-MAC using the 
content-integrity-check-value-generating key Kicvc) in such a 
manner that 8 bytes are input each time. 

[0571] Further, if the block i contains one part having 

[ICV flag = subject of ICV] indicating that it is to be 
checked, the integrity check value P-ICVij generated using the 
above method is directly used as the block integrity check 
value ICVi. If the block i contains a plurality of parts 
having [ICV flag = subject of ICV] indicating that they are to 
be checked, the integrity check value P-ICVij is generated by 
connecting a plurality of parts integrity check values P-ICVij 
together in accordance with part numbers to obtain data and 
sequentially inputting the entire data (plain data) to the 
temper-check-value-generating function shown in Fig. 37 (DES- 
CBC-MAC using the content-integrity-check-value-generating key 
Kicvc) in such a manner that 8 bytes are input each time. Fig. 
37 shows an example of configuration for generating the 
content block content integrity check value ICVi. 
[0572] The block integrity check value ICVi is not defined 

for the format types 2 or 3 . 

[0573] The integrity check value B, -hICVb_^_ is used to check 

the block information table key, the content key, and the 
entire block information table, and It is generated using, for 
example, the method described in the previously described Fig. 
24 . 

[0574] The total integrity check value L ICVt_^ is used to 

check the entirety of the previously described integrity chock 
values A: ICVa and — ICVb^ and the integrity check value ICVi 
contained in each block of the content to be checked, and ICVt 
is generated by applying the system signature key Ksys to the 
intermediate integrity check value generated from each 
integrity check value^ such as the integrity check value A~ 
ICVa_j_ to execute the encryption process as described in t**e 
previously described Fig. 25. 
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[0575] For the format types 2 and 3, the total integrity 

check value ICVt is generated by applying the system signature 
key Ksys to the intermediate integrity check value generated 
by connecting the previously described integrity check values 
A-= — ICVa and — ICVb to the content data 7 — that — is, J_the entire 
content data between the block key in block 1 and the final 
block]_, to execute the encryption process. Fig. 38 shows an 

example of a configuration for generating the total integrity 

check value ICVt for the format types 2 and 3. 

[0576] The unique integrity check value ICVdev is 

substituted with the total integrity check value ICVt if the 
previously described localization flag is set to 1_^t — fc - T hat is, 
it indicates that the content can be used only by a particular 
recording and reproducing device. For the format types 0 and 1, 
the unique integrity check value ICVdev is generated to check 
the previously described integrity check values A-*- ICVa and B-5- 
ICVb and the integrity check value ICVi contained in each 
block of the content to be checked. Specifically, the unique 
integrity check value ICVdev is generated by applying the 
recording and reproducing device signature key Kdev to the 
intermediate integrity check value generated from the 
integrity check values such as the integrity check value A-s- 
ICVa, as explained in the description of previously — described 
Fig. 25 or 38. 

[0577] Next, processes for downloading a— content of each of 
the format types 0 to 3 from the recording and reproducing 
device 300 to the recording device 400_^_ and processes executed 
by the recording and reproducing device 300 to reproduce a 
content of each of the format types 0 to 3 from the recording 
device 400_^ will be described with reference to the flow 
charts in Figs. 39 to 44. 

[0578] First, the process for downloading a — content of the 
format type 0 or 1 will be explained with reference to Fig. 39. 
[0579] The process shown in Fig. 39 is started, for example, 
by installing the recording device 400 into the recording and 

reproducing device 300 shown i-n Fig . At step S101, 

authentication is executed between the recording and 
reproducing device 300 and the recording device 400 , and this 
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step is carried out in accordance with the authentication 
process flow previously described in Fig. 20. 

[0580] If the authentication process at step S101 has been 
completed to set the authentication flag, then at step S— 102, 
the recording and reproducing device 300 reads data of a 
predetermined format from the medium 500 via the read section 
304, the medium 500 storing content data, or uses the 
communication section 305 to receive data from the 
communication means 600 in accordance with " a predetermined 
format. Then, the control section 301 of the recording and 
reproducing device 300 transmits the header section of the 
data to the recording and reproducing device cryptography 
process section 302 of the recording and reproducing device 
300. 

[0581] Next, at step S103, the control section 306 of the 
recording and reproducing device cryptography process section 
302 causes the encryption/decryption section 308 of the 
recording and reproducing device cryptography process section 
302 to calculate the integrity check value A. The integrity 
check value A is calculated in accordance with the ICV 
calculation method described in Fig. 7_-_t — using It uses as a 
key the integrity-check-value-A-generating key Kicva stored in 
the internal memory 307 of the recording and reproducing 
device cryptography process section 302. and using It uses the 
content ID and the usage policy as a message, as shown in Fig. 
23. Then at step S104, the integrity check value A and the 
check valuer ICVa stored in the header are compared together^ 
and i I f they are equal, the process proceeds to step S105. 
[0582] As previously described, the check value A, ICVa is 
used to verify that the content ID and the usage policy have 
not been tampered with . If the integrity check value A 
calculated, for example, in accordance with the ICV 
calculation, fusing as a key the integrity-check-value-A- 
generating key Kicva stored in the internal memory 307 e£ — the 
recording — and — reproducing — device — cryptography — process — section 
3-&2 — and using the content ID and the usage policy as a 
messagej_, equals the check value-*- ICVa stored in the header, it 
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is determined that the content ID and the usage policy have 
not been tampered with . 

[0583] Next, at step S105, the control section 306 of the 
recording and reproducing device cryptography process section 
302 causes the encryption/decryption section 308 of the 
recording and reproducing device cryptography process section 
302 to obtain or generate the distribution key Kdis. The 
distribution key Kdis is generated using, for example, the 
master key MKdis for the distribution key, as in step S53 in 
the previously described Fig. 22. 

[0584] Then at step S106, the control section 306 of the 

recording and reproducing device cryptography process section 

302 uses the encryption/decryption section 308 o€ fefee 

recording — a**d — reproducing — device — cryptography — process — section 
^2- as well as the generated distribution key Kdis, to decrypt 
the block information table key Kbit and content key Knon 
stored in the header section of the data obtained from the 
medium 500 via the read section 304 or received from the 
communication means 600 via the communication section 305. 

[0585] Further, at step S107, the control section 306 of 

the recording and reproducing device cryptography process 
section 302 uses the encryption/decryption section 308 of the 
recording and reproducing device cryptography process section 
302 to decrypt the block information table with the decrypted 
block information table key Kbit. 

[0586] Further, at step S108, the control section 306 of 

the recording and reproducing device cryptography process 
section 302 calculates the integrity check value B (ICVb') 
from the block information table key Kbit, the content key 
Kcon, and the block information table (BIT) . The integrity 
check value B is generated, as shown in Fig. 24j_-, — by using — a-s- 
a — key — the — integrity - check - valuc - B - gene rating — key — Kicvb — stored 
if* — fehe — internal — memory — 3-0-3 — e£ — the — recording — a-Rd — reproducing 

device cryptography process section 302 , to decrypt an 

exclusive-ORed value based on the PES.— This is done by using 
the integrity-check-value-B-generating key Kicvb stored in the 
internal memory 307. ^The exclusive-ORed value comprisesirf*g 
the block information table key Kbit, the content key Kcon, 
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and the block information table (BIT) . Then at step S109, the 
integrity — check — valu e — B ICVb 1 and the ICVb in the header are 
compared together, and if they are equal, the process proceeds 
to step S110. 

[0587] As previously described, the check value B, ICVb_^_ is 
used to verify that the block information table key Kbit, the 
content key Kcon, and the block information table have not 
been tampered with . If the integrity check value B ICVb 1 

generated — by — using as a key — fc-he int cgr it y - check - value - B - 

gencrating — key — Kicvb — stored — i-n — the — internal memory — 3-Q-7 — e-f — the 
recording — aftd — reproducing — device — cryptography — process — section 

302 , dividing fche block — information — table key — Kbit, fehe 

content — key — Kcon, — aftd — t-he — block — information — table — (BIT) — into 
8 - byte — pieces, — exclusive - Or ing — these — data, — a**d — encrypting — the 
cxclusivc - OR c d — data — based — on — the — DES , — equals the check value-r 
ICVb stored in the header, it is determined that the block 
information table key Kbit, the content key Kcon, and the 
.block information table have not been tampered with . As 
described earlier, ICVb 1 is generated by using the integrity- 
check-value-B-generating key Kicvb; dividing the block 
information table key Kbit, the content key Kcon, and the 
block information table (BIT) into 8-byte pieces; exclusive- 
Oring these data; and encrypting the exclusive-Ored data based 
on the DES . 

[0588] At step S110, the control section 306 of the 
recording and reproducing device cryptography process section 
302 causes the encryption/decryption section 308 of the 
recording and reproducing device cryptography process section 
302 to calculate the intermediate integrity check value. The 
intermediate value is calculated in accordance with the ICV 
calculation method described in Fig. 7 or the like. — This is 
done using— as — a key the total -integrity-check- value-gene rat ing 
key Kicvt as a key stored — ift — the — internal — memory — 3^7 — ef — fe-he 
recording — and — reproducing — device — cryptography — process — section 
-302 — and using the integrity check values A and B and all the 
held content integrity check values as a message. Kicvt is 
stored in the internal memory 307. The intermediate integrity 
check value generated is stored in the recording and 
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reproducing device cryptography process section 302 of the 
recording and reproducing device 300^_ as required. 
[0589] Next, at step Sill, the control section 306 of the 

recording and reproducing device cryptography process section 
302 causes the encryption/decryption section 308 of the 
recording and reproducing device cryptography process section 
302 to calculate the total integrity check value ICVt' . As 
shown in Fig. 25, the total integrity check value ICVt is 
generated by using — as — a — key a system signature key Ksys as a 
key stored — i-n — the — internal — memory — 3-03 — &S — the — recording — and 

reproducing device cryptography process section 302 , to 

encrypt the intermediate integrity check value based on the 
DES. Ksys is stored in the internal memory. Then at step S112, 
the total integrity check value ICVt generated and the ICVt' 
in the header stored at step S112 are compared together, and 
if they are equal, the process proceeds to step S113- 
[0590] As previously described in Fig. 4, the total 

integrity check value ICVt is used to verify that all of the 
integrity check values ICVa and ICVb and the integrity check 
value for each content block have not been tampered with . Thus, 
if the total integrity check value generated by means of the 
above described process equals the integrity check valuer ICVt 
stored in the Hheader, it is determined that all of the 
integrity check values ICVa and ICVb and the integrity check 
value for each content block have not been tampered with . 
[0591] Then at step S113, the control section 301 of the 

recording and reproducing device 300 — takes content block 
information out from the block information table (BIT) and 
checks whether any content block is to be verified. If any 
content block is to be verified, the content integrity check 
value has been stored in the block information in the header. 
[0592] If any content block is to be verified, then at step 

S114, the control section 301 reads this content block out 
from the medium 500 fusing the read section 304 of the 
recording and reproducing device 300]_ or receives^ it from the 
communicating means 600 Jjoy using the communication section 
305 of the recording and reproducing device 300_)_, and 
transmits the content block to the recording and reproducing 
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device cryptography process section 302 of the recording and 
reproducing device 300. On receiving the content block, the 
control section 306 of the recording and reproducing device 
cryptography process section 302 causes the 

encryption/decryption section 308 of the recording and 
reproducing device cryptography process section 302 to 
calculate the content integrity check value ICVi' . 
[0593] If the block has been encrypted, the content 

integrity check value ICVi is generated by decrypting the 
input content block in the DES CBC mode using the content key 
Kcon 7 — Then it exclusive -ORsir*^ all of the decrypted text 

every 8 bytes^ a A nd then it encrypts ing the generated 

content intermediate value with the content-integrity-check- 
value-generating key Kicvc stored in the internal memory 307 
of the recording and reproducing device 300. Additionally, if 
the block has not been encrypted, the content integrity check 
value is generated by sequentially inputting the entire block 
data (plain text) to the tamper-check-value-generating 
function shown in Fig. 36 ( DES -CBC -MAC using the content- 
integrity-check-value-generating key Kicvc) in such a manner 
that 8 bytes are input each time. 

[0594] Then at step S115, the control section 306 of the 
recording and reproducing device cryptography process section 
302 compares this content integrity check value with the ICV 
in the content block received from the control section 301 of 
the recording and reproducing device 300 at step 3102^7 — a A nd 
it passes the result to the control section 301 of the 
recording and reproducing device 300. On receiving the result 
J_and if the verification has been successf ulj_, the control 
section 301 of the recording and reproducing device 300 takes 
out the next content block to be verified and causes the 
recording and reproducing device cryptography process section 
302 of the recording and reproducing device 300 to verify this 
content block. Similar verification processes are repeated 
until all the content blocks are verified (step S116) . 
[0595] In this regard, if the check values are not equal at 

any of steps 104, 109, 112, and 115, an error occurs to end 
the download process . 
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[0596] Then at step S117, the recording and reproducing 
device cryptography process section 302 of the recording and 
reproducing device 300 causes the encryption/decryption 
section 308 of the recording and reproducing device 
cryptography process section 302 to encrypt the block 
information key Kbit and content key Kcon decrypted at step 
SIO6.7 — This is performed using the session key Kses made 
sharable during the mutual authentication. The control section 
301 of the recording and reproducing device 300 reads the 
block information table key Kbit and the content key Kcon out 
from the recording and reproducing device cryptography process 
section 302 of the recording and reproducing device 300 and 
then transmits them to the recording device 400 via the 
recording device controller 303 of the recording and 
reproducing device 300. 

[0597] Then at step S118, efi receiving the block 

information table key Kbit a-nd fehe content key Kcon 

transmitted from the recording and reproducing device — 300, the 
recording device 400 causes the encryption/decryption section 
406 of the recording device cryptography process section 401 
to decrypt the received data with the session key Kses Jmade 

sharable during the mutual authentication) . Step 118 is 

performed upon receiving the block information table key Kbit 
and the content key Kcon that is transmitted from the 
recording and reproducing device 300. and to — then — reencrypt — t 
The decrypted data in then reencrypted using the storage key 
Kstr , which is unique to the recording device which is stored 
in the internal memory 405 of the recording device 
cryptography process 401. Then, the control section 301 of the 
recording and reproducing device 300 reads the block 
information key Kbit and the content key Kcon out from the 
recording device 400 via the recording device controller 303 
of the recording and reproducing device 300^7 — fe T he block 
information key Kbit and the content key Kcon can be-i**^ 
reencrypted with the storage key Kstr. That is, the block 
information table key Kbit encrypted with the distribution key 
Kdis is exchanged with the content key Kcon. 
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[0598] Then at step S119, the control section 301 of the 

recording and reproducing device 300 takes the localization 
field out from the usage policy in the header section of the 
data.- This is done to determine whether the downloaded 
content can be used only in this recording and reproducing 
device 300. If the localization field is set to 1, the 
downloaded content can be used only by the recording and 
reproducing device 300^7 — i I f the localization field is set to 
0, the downloaded content can also be used by other similar 
recording and reproducing devices 300. If the result of the 
determination shows that the localization field is set to 1, 
the process proceeds to step S120. 

[0599] At step S120, the control section 301 of the 
recording and reproducing device 300 causes the recording and 
reproducing device cryptography process section 302 of the 
recording and reproducing device 300 to calculate the 
integrity check value unique to the recording and reproducing 
device 300 . The integrity check value unique to the recording 
and reproducing device 300 is generated by using as a key a 
recording and reproducing device signature key Kdev stored in 
the internal memory 307 of the recording and reproducing 
device cryptography process section 302.— Tis This is performed 
to encrypt the intermediate integrity check value based on the 

DES^t fe - T he intermediate integrity check value can_beiBf 

generated at step S110. The calculated integrity check value 
ICVdev unique to the recording and reproducing device 300 
substitutes for the total integrity check value ICVt . 
[0600] As previously described, the system signature key 
Ksys is used to add a common signature or ICV to the 

distribution system^ aftd — T he recording and reproducing 

device signature key Kdev varies depending on the recording 
and reproducing device 300 and is used by the recording and 
reproducing device 300 to add a signature or ICV. That is, 
data signed with the system signature key Ksys a^eis 
successfully checked by a system (recording and reproducing 
device 300 ) having the same system signature key^T — that — i-s- r In 
other words, such data have the same total integrity check 
value ICVt so as to be sharable. If, however, data are signed 
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with the recording and reproducing device signature key Kdev— 
_[since this signature key is unique to the recording and 
reproducing device^ — t**e — data — signed — with — feke — recording — a-ftd 

reproducing — device signature key — Kdcv / that — i-s-r the data 

stored in a recording device after the signing cannot be 
reproduced if an attempt is made to reproduce them after this 
recording device 400 has been inserted in another recording 
and reproducing device 300 -7 — that — ±s-r In other words, an error 
occurs due to the unequal integrity check values ICVdev unique 
to the recording and reproducing device 300 . In the data 
processing apparatus according to the present invention, the 
setting of the localization field enables contents to be 
arbitrarily set so as to be shared throughout the entire 
system or used only by particular recording and reproducing 
devices 300 . 

[0601] Next, at step S121, the control section 301 of the 
recording and reproducing device 300 causes the recording and 
reproducing device cryptography process section 302 to form a 
storage data format. As previously described, one of the three 
format types_^ 0 to 3_^_ is set in the usage policy (see Fig. 5) 
in the header . This is done so that data are formed in 
accordance with the storage format ±r — tfee — right — of one of the 
previously described Figs. 32 to 35 depending on the set type. 
The flow shown in Fig. 39 is for the format 0 or 1, so that 
the data are formed into one of the formats in Figs . 32 and 33 
Once the storage data format has been completed at step S121, 
the control section 301 of the recording and reproducing 
device 300 stores the content in the external memory 402 of 
the recording device 400 at step S122. 

[0602] How the process for downloading content data of the 

format type 0 or 1 is carried out has been described. 

[0603] The process for downloading content data of the 

format type 2 will be explained with reference to Fig. 40. 

Differences from the above described process for downloading 

data of the format type 0 or 1 will be focused on. 

[0604] Steps S101 to S109 are similar to the above 

described process for downloading data of the format type 0 or 

1, so description thereof is omitted. 
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[0605] Since the format type 2 has no content integrity 

check value ICVi defined therefor as previously described, the 
block information table contains no content integrity check 
value ICVi. The intermediate integrity check value in the 
format type 2 is generated by applying the system signature 
key Ksys to the intermediate integrity check value ^generated 
by connecting the integrity check values A and B to the entire 
content data between the leading data of the first block (the 
block key in the block 1) and the final block_)_, to execute the 
encryption process. 

[0606] Thus, in the process for downloading data of the 

format type 2, the content data a-aeeis read out at step SlSl^— 
and — tr T he intermediate integrity check value is generated 
based on the integrity check values A and B and the read-out 
content data at step S152. In this regard, the content data 
arc is not decrypted even if thcy it hasve been encrypted. 
[0607] For the format type 2, the processes for decrypting 

the block data and collating the content integrity check 
values are omitted,_ contrary to the previously described 
process for the format type 0 or 1, thereby increasing the 
processing speed. 

[0608] The processing at step Sill and subsequent steps is 

similar to that for the format type 0 or 1, so description 
thereof is omitted. 

[0609] How the process for downloading content data of the 

format type 2 is carried out has been described. As described 
above, the process for downloading data of the format type 2 
omits the processes for decrypting the block data and 
collating the content integrity check values contrary to the 
process for the format type 0 or 1, thereby increasing the 

processing speedy T his format is thus suitable for 

processing of music data or the like which must be executed in 
real time. 

[0610] Next, the process for downloading content data of 

format type 3 will be described with reference to Fig. 41. The 
following description will focus on differences from the above 
described download process for the format types 0, 1, and 2. 
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[0611] Steps S101 to S105 are similar to those of the above 

described download process for the format types 0, 1, and 2j_ 
so description thereof is omitted . 

[0612] The process for the format type 3 essentially has 
many characteristics in common with that for the format type 2, 
but differs therefrom in that the format type 3 has no. content 
key in that the block key Kblc is stored in the recording 
device 400 after encryption with the storage key Kstr. 
[0613] The following description will focus on the 
differences between the download process for the format type 3 
and that for the format type 2. With the format type 3, at 
step S161— (which followsjrft€f step S105j_, the block information 
table key is decrypted. The control section 306 of the 
recording and reproducing device cryptography process section 
302 uses the encryption/decryption section 308 of the 
recording and reproducing device cryptography process section 
302_^_ as well as the distribution key Kdis generated at step 
S105^_ to decrypt the block information table key Kbit . Kbit is 
stored in the header section of the data obtained from the 
medium 500 via the read section 304_^_ or received from the 
communication means 600 via the communication section 305. 
With the format type 3, data contains no content key Kcon, so 
that the process for decrypting the content key Kcon is not 
executed . 

[0614] At the next step S107, the block information table 
key Kbit J_decrypted at step S161J_ is used to decrypt the block 
information table . -, — and — aAt step S162, the control section 
306 of the recording and reproducing device cryptography 
process section 302 generates integrity check value B(ICVb') 
from the block information table key Kbit and block 
information table (BIT) . The integrity check value B is 

generated by using as a key — the integrity-check-value-B- 

generating key Kicvb_;_ stored in the internal memory 307 of the 
recording — and — reproducing — device — cryptography — process — section 
302 , This is performed to encrypt the exclusive-ORed value 
comprising the block information table key Kbit and block 
information table (BIT), based on the DES . Kicvb is stored in 
the internal memory 307. Next, at step S109, the integrity 
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check value B (ICVb) and the ICVb in the header are compared 
together . -, — a**d — ar_If they are equal, the process proceeds to 
step S151. 

[0615] With the format type 3, the check value B, ICVb 

functions to verify that the block information table key Kbit 
and the block information table have not been tampered with . 
If the integrity check value B generated equals the check 
valuer- ICVb stored in the header, it is determined that the 
block information table key Kbit and the block information 
table have not been tampered with . 

[0616] Steps S151 to S112 are similar to those of the 

process for the format type 2, and description thereof is 
omitted . 

[0617] At step S163, the block key Kblc_^ contained in the 
content data read out at step S151_^ is decrypted with the 
distribution key Kdis generated at step S105. 

[0618] Then at step S164, the recording and reproducing 

device cryptography process section 302 of the recording and 
reproducing device 300 causes the encryption/decryption 
section 308 of the recording and reproducing device 
cryptography process section 302 to encrypt the block 
information key Kbit ^decrypted at step S161_)_ and the block 
key Kblock ^decrypted at step S163J_, using the session key 
Kses made sharable during the mutual authentication. The 
control section 301 of the recording and reproducing device 
300 reads the block information table key Kbit and the block 
key Kblc out from the recording and reproducing device 
cryptography process section 302 of the recording and 
reproducing device 300 and then transmits these — this data to 
the recording device 400 via the recording device controller 
303 of the recording and reproducing device 300. 

[0619] Then at step S165, en receiving fcke block 

information — table — key — Kbit — and — th-e — block — key — Kblc — tr a nsmitted 
from — th e — recording — and — reproducing — device — 300 , — the recording 
device 400 causes the encryption/decryption section 406 of the 
recording device cryptography process section 401 to decrypt 
the received data with the session key Kses . Step 165 occurs 
upon receiving the block information table key Kbit and the 
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block key Kblc that are transmitted from the recording and 
reproducing device 300. Kses was made sharable during the 
mutual authentication^ and — fee — then — rccncrypt — Tfehe decrypted 
data is then reencrypted using the storage key Kstr which is 
unique to the recording device 400 which is stored in the 
internal memory 405 of the recording device cryptography 
process 401. The control section 301 of the recording and 
reproducing device 300 reads the block information table key 
Kbit and the block key Kblc reencrypted by a storage key Kstr 
from the recording device 400 via the recording device 
controller of the recording and reproducing device 300. That 
is, the block information table key Kbit and block key Kblc 
initially encrypted with the distribution key Kdis are 
replaced with the block information table key Kbit and block 
key Kblc reencrypted with the storage key Kstr. 

[0620] The subsequent steps S119 to S122 are similar to 

those for the format types 0, 1, and 2, so description thereof 
is omitted. 

[0621] The aspect of the process for downloading content 
data of the format type 3 has been described. As described 
above, the download process for the format type 3 omits the 
decryption of the block data and the process for collating the 
content integrity check value as for the format type 2, 
thereby enabling prompt processing . -j — feThe format type 3 is 
thus suitable for processing data such as music data_^ which 
requires real- tile — time processing. In addition, since the 
range within which the encrypted content is protected is 
localized by the block key Kblc, advanced security is achieved 
compared to the format type 2. 

[0622] Next, processes for reproducing data of each of the 

format types 0 to 3 from the recording device 400 e-f — the 
recording — and — reproducing — device — 3-Q-O — will be explained with 
reference to the flow charts in Figs. 42 to 45. 

[0623] First, a process for reproducing a — content of the 

format type 0 will be explained with reference to Fig. 42. 
[0624] Step S201 corresponds to an authentication process 

between the recording and reproducing device 300 and the 
recording device a**d — 400. It is executed in accordance with 
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the authentication process flow previously described in Fig. 
20. 

[0625] Once the authentication process at step S201 has 

been completed to set the authentication flag, a^fe — step — S202 , 
the recording and reproducing device 300 , at step S202, reads 
the header of data of a predetermined format out from the 
recording device 400 and transmits it to the recording and 
reproducing device cryptography process section 302 of the 
recording and reproducing device 300. 

[0626] Then at step S203, the control section 306 of the 

recording and reproducing device cryptography process section 
302 causes the encryption/decryption section 308 of the 
recording and reproducing device cryptography process section 
302 to calculate the integrity check value A. The integrity 
check value A , IVCa 1 , is calculated using as a key the 
integrity-check-value-A-generating key Kicva stored in the 
internal memory 307 of the recording and reproducing device 
cryptography process section 302 and using the content ID and 
the usage policy as a message, as shown in the previously 
described Fig. 23. Then, the integrity check value A , IVCa 1 , 
and the check valuer ICVa stored in the header are compared 
together at step S204 . 7 — and i lf they are equal, the process 
proceeds to step S205. 

[0627] The check value A, ICVa_^ is used to verify that the 

content ID and the usage policy have not been tampered with . 
If the calculated integrity check value A , IVCa ' , equals the 
check valuer ICVa stored in the header, it is determined that 
the content ID and the usage policy have not been tampered 
with . 

[0628] Then at step S205, the control section 301 of the 

recording and reproducing device 300 takes out, from the read- 
out header section, the block information table key Kbit and 
content key Kcon J_encrypted with the storage key Kstr unique 
to the recording devicej_ and then transmits them to the 
recording device 400 via the recording device controller 303 
of the recording and reproducing device 300. 

[0629] On receiving the block information table key Kbit 
and the content key Kcon ^transmitted from the recording and 
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reproducing device 300_)_, the recording device 400 causes the 
encryption/decryption section 406 of the recording device 
cryptography process section 401 to decrypt the received data 
with the storage key Kstr _[unique to the recording device 
which is stored in the internal memory 405 of the recording 
device cryptography process|_ and to then reencrypt the 
decrypted data using the session key Kses Jmade sharable 
during the mutual authentication^. This process is as 
previously described in detail in (9) Key Exchange Process 
after Mutual Authentication. 

[0630] At step S206, the control section 301 of the 

recording and reproducing device 300 receives the block 
information table key Kbit and content key Kcon reencrypted 
with the session key Kses, from the recording device 400_^_ via 
the recording device controller 303 of the recording and 
reproducing device 300. 

[0631] Then at step S207, the control section 301 of the 

recording and reproducing device 300 transmits the received 
block information table key Kbit and content key Kcon J_which 
are reencrypted with the session key Kses|_, to the recording 
and reproducing device cryptography process section 302 of the 
recording and reproducing device 300. On receiving the block 
information table key Kbit and content key Kcon reencrypted 
with the session key Kses the content block, the cryptography 
process section 302 of the recording and reproducing device 
300 causes the encryption/decryption section 308 of the 
recording and reproducing device cryptography process section 
302 to decrypt these keys Kbit and Kcon with the session key 
Kses Jmade sharable during the mutual authentication^. 
[0632] Further at step S208, the decrypted block 

information table key Kbit is used to decrypt the block 
information read out at step S202. The recording and 
reproducing device cryptography process section 302 of the 
recording and reproducing device 300 replaces the decrypted 
block information table key Kbit, content key Kcon, and block 
information table BIT with the block information table key 
Kbit, content key Kcon, and block information table BIT 
contained in the header read out at step S202, to hold the 
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latter. Additionally, the control section 301 of the recording 
and reproducing device 300 reads the decrypted block 
information table BIT out from the recording and reproducing 
device cryptography process section 302 of the recording and 
reproducing device 300. 

[0633] Further, at step S209, the control section 306 of 

the recording and reproducing device cryptography process 
section 302 generates the integrity check value B(ICVb') from 
the block information table key Kbit, the content key Kcon, 
and the block information table (BIT) . The integrity check 
value B is generated, as shown in Fig. 24, by using as a key 
the integrity-check-value-B-generating key Kicvb stored — if* — trhe 
internal — memory — 3^7 — e# — t-he — recording — and — reproducing — device 
cryptography — process — section — 302 , — to decrypt the exclusive- 
ORed value comprising the block information table key Kbit, 
the content key Kcon, and the block information table (BIT) , 
based on the DES. Kicvb is stored in the internal memory 307 . 
Then at step S210, the integrity check value B , ICVb ' , and the 
ICVb in the header are compared together . 7 — and if If they are 
equal, the process proceeds to step S211. 

[0634] The check value B, ICVb is used to verify that the 

block information table key Kbit, the content key Kcon, and 
the block information table have not been tampered with . If 
the integrity check value B generated equals the check valuer 
ICVb stored in the header, it is determined that the block 
information table key Kbit, the content key Kcon, and the 
block information table stored in the recording device 400 
have not been tampered with . 

[0635] At step S211, the control section 306 of the 
recording and reproducing device cryptography process section 
302 causes the encryption/decryption section 308 of the 
recording and reproducing device cryptography process section 
302 to calculate the intermediate integrity check value. The 
intermediate value is calculated in accordance with the ICV 
calculation method described in Fig. 7, using a^s — a — key — the 
total-integrity-check-value generating key Kicvt as a key. 
Kicvt is stored in the internal memory 307 of the recording 
and reproducing device cryptography process section 302 . and 
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using — tThe integrity check values A and B in the verified 
header and all the content integrity check values in the block 
information table are used as a message^ as shown in Fig. 25. 
In this regard, the intermediate integrity check value 
generated is stored in the recording and reproducing device 
cryptography process section 302 of the recording and 
reproducing device 300 as required. 

[0636] Next, at step S212, the control section 301 of the 
recording and reproducing device 300 takes the localization 
field out from the usage policy contain e d — if* — the — header 
section — — the — data — read — from — the — external — memory — 4-0-2 — e# — the 
recording — device — 4-0-0 — to determine whether the content to be 
reproduced can be used only by this recording and reproducing 
device 300 (in this case, the localization field is set to 1) 
or also by other similar recording and reproducing devices 300 
(in this case, the localization field is set to 0) . The usage 
policy is contained in the header section of the data read 
from the external memory 402 of the recording device 4Q-0-. If 
the result of the determination shows that the localization 
field is set to 1, that is, the reproduced content can be used 
only by this recording and reproducing device 300, the process 
proceeds to step S213. If the localization field is set to 0, 
that is, the reproduced content can also be used by other 
similar recording and reproducing devices 300, the process 
proceeds to step S215. The processing at step S211 may be 
executed by the cryptography process section 302. 
[0637] At step S213, the control section 301 of the 
recording and reproducing device 300 causes the recording and 
reproducing device cryptography process section 302 of the 
recording and reproducing device 300 to calculate the 
integrity check value ICVdev' . ICVdev 1 is unique to the 
recording and reproducing device 300 . The integrity check 
value ICVdev'^ unique to the recording and reproducing device^ 
is generated— as shown in Fig. 25, by using as — a — key — a 
recording and reproducing device signature key Kdev as a key 

stored ±-r the internal memory 3-9-3 e# the recording ar*d 

reproducing device cryptography process section 302 , to 

decrypt the intermediate integrity check value based on the 
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PES . 7 — fe-The intermediate integrity check value being — can be 
held at step S58 . Kdev is stored in the internal memory 307 . 
[0638] Then at step S214, the integrity check value ICVdev' 
^unique to the recording and reproducing device 300) 
calculated at step 5213^ and the ICVdev in the header read out 
at step S202,_ are compared together . 7 — and i l^f they are equal, 
the process proceeds to step S217. 

[0639] Or the other — hand, aAt step S215, the control 

section 306 of the recording and reproducing device 
cryptography process section 302 causes the 

encryption/decryption section 308 of the recording and 
reproducing device cryptography process section 302 to 
calculate the total integrity check value ICVt. The total 
integrity check value ICVt' is generated by using as a key the 
system signature key Ksys as a key stored — if* — the — internal 

memory 3^7 e-f feh-e recording a**d reproducing device 

cryptography — process — section — 302, — to decrypt the intermediate 
integrity check value based on the DES, as shown in Fig. 25. 
Ksys is stored in the internal memory 307 . Then at step S216, 
the generated total integrity check value ICVt' generated and 

the ICVt in the header are compared together_. 7 — a**d — ilf they 

are equal, the process proceeds to step S217. 

[0640] The total integrity check value ICVt and the 

integrity check value ICVdev unique to the recording and 
reproducing device are used to verify that all of the 
integrity check values ICVa and ICVb and the integrity check 
value for each content block have not been tampered with . Thus, 
if the total integrity check value generated by means of the 
above described process equals the integrity check value: ICVt 
or ICVdev stored in the header, it is determined that all of 
the integrity check values for each content block have not 
been tampered. 

[0641] Next, at step S217, the control section 301 of the 

recording and reproducing device 300 reads the block data out 
from the recording device 400. Furthermore, at step S218, it 

is determined whether or not the data has¥e been encrypted_. y 

a**€l ilf the data has¥e been encrypted, the cryptography 

process section 302 of the recording and reproducing device 
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300 decrypts the block data. If the data hasye not been 
encrypted, the process skips step S219 and advances to step 
S220 . 

[0642] Then at step S220, the control section 301 of the 
recording and reproducing device 300 checks whether any 
content block is to be verified . This is done— based on the 
content block information table in the block information table 

(BIT) . If any content block is to be verified, the content 
integrity check value has been stored in the block information 
in the header. In this case, the content integrity check value 
ICVi for this content block is calculated at step S221. If no 
content block is to be verified, the process skips steps S221 
and S222 to advance to step S223. 

[0643] If the block has been encrypted as previously 

described in Fig. 36, the content integrity check value ICVi' 
is generated by decrypting the input content block with the 
content key Kcon in the DES CBC mode, exclusive-ORing all of 
the results every 8 bytes to generate the content intermediate 
value . 7 — and t Then the process encryptsjrft^ the obtained value 
with the content-integrity-check-value-generating key Kicvc 
jstored in the internal memory 307 of the recording and 
reproducing device 300J_. Additionally, if the block has not 
been encrypted, the content integrity check value is generated 
by sequentially inputting the entire data (plain text) to the 
tamper-check-value-generating function shown in Fig. 36 (DES- 
CBC-MAC using the content-integrity-check-value-generating key 
Kicvc) in such a manner that 8 bytes are input each time. 
[0644] At step S222, the control section 306 of the 

recording and reproducing device cryptography process section 
302 compares the generated content integrity check value ICVi' 
with the ICVi stored in the content block received from the 
recording device 400 at step S202, and passes the result to 
the control section 301 of the recording and reproducing 
device 300. On receiving the result J_and if the verification 
has been successful^, the content plain data for execution 
(reproduction) on the RAM of the recording and reproducing 
device system is formed at step S223. The control section 301 
of the recording and reproducing device 300 takes out the next 
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content block to be verified and causes the recording and 
reproducing device cryptography process section 302 of the 
recording and reproducing device 300 to verify this content 
block. Similar verification processes and RAM storage 

processes are repeated until all the content blocks are 
verified (step S224) . 

[0645] If the check values do not match at any of steps 

S204, S210, S214, S216, and or S222, an error occurs to end 
the reproduction process . 

[0646] When it is determined at step S224 that all the 

blocks have been read out, the process proceeds to step S225 
to start executing and reproducing the content (program or 
data) . 

[0647] The aspect of the process for reproducing content 

data of the format type 0 has been explained. 

[0648] Next, the process for downloading content data of 
the format type 1 will be explained with reference to Fig. 43. 
The following description will focus on differences from the 
above described download process for the format type 0. 

[0649] The processing from steps S201 to S217 is similar to 

that in the above described download process for the format 
type 0, so description thereof is omitted. 

[0650] For the format type 1, at step S231, encrypted parts 

are decrypted to generate a part ICV. Further at step S232, 
the block ICVi' is generated. As previously described- with 
the format type 1, if at least one of the parts in a block 
contains data to be verified with the integrity check value 
ICVi, the content integrity check value ICVi is defined for 
this block. For example, i -£f the part j has been encrypted, an 
integrity check value P-ICVij for a part j of a block i is 
generated by exclusive-ORing the entire plain text (decrypted 
text) every 8 bytes and decrypting the obtained value with the 
content-integrity-check-value-generating key Kicvc . 

Additionally, if the part j has not been encrypted, the 
integrity check value P-ICVij is generated by sequentially 
inputting the entire data (plain text) to the tamper-check- 
value-generating function shown in Fig. 36 (DES-CBC-MAC using 


- 171 - 


the content-integrity-check-value-generating key Kicvc) in 
such a manner that 8 bytes are input each time. 

[0651] Further, if the block i contains only one part 

having [ICV flag = subject of ICV] indicating that it is to be 
checked, the integrity check value P-ICVij generated using the 
above method is directly used as the block integrity check 
value ICVi . If the block i contains a plurality of parts 
having [ICV flag = subject of ICV] indicating that they are to 
be checked, the integrity check value P-ICVij is generated by 
connecting a plurality of partes- integrity check values P-ICVij 
together in accordance with part numbers to obtain data^ 
Aftd and the process then sequentially inputting — inputs the 
entire data (plain text) to the tamper-check-value-generating 
function shown in Fig. 3 6 (DES-CBC-MAC using the content- 
integrity-check-value-generating key Kicvc) in such a manner 
that 8 bytes are input each time. This is the same as 
explained in Fig. 37. 

[0652] For the format type 1, the content integrity check 

value generated by means of the above described procedure 
undergoes comparison at step S222. Processing at the next step 
S223 and the subsequent steps is similar to that for the 
format type 0, so description thereof is omitted. 
[0653] Next, the process for reproducing content data of 
the format type 2 will be explained with reference to Fig. 44. 
The following description will focus on differences from the 
above described reproduction processes for the format types 0 
and 2 . 

[0654] Steps S201 to S210 is — are similar to that in the 

above^ described reproduction processes for the format types 0 
and 1, so description thereof is omitted. 

[0655] For the format type 2, the processing at steps S211 

to S216, which is executed for the format types 0 and 1, is 
not executed. In addition, the format type 2 has no content 
integrity check value, so that verification of the content 
integrity check value, which is executed for the format types 
0 and 1, is not executed. 

[0656] In the data reproduction process for the format type 

2- (performed after step S210 for verifying the integrity 


- 172 - 


check value B)_, the process proceeds to step 3217^ where the 
block data are read out under the control of the control 
section 301 of the recording and reproducing device 300. 
Further, at step S241, the cryptography process section 306 of 
the recording and reproducing device 300 decrypts the block 
key Kblc contained in the block data. The block key Kblc_^ 
stored in the recording device 400^_ has been encrypted with 
the content key Kcon as shown in Fig. 34 . and Kblc is thus 
decrypted with the content key Kcon decrypted , which has been 
decrypted at tho previous step S207. 

[0657] Then at step S242, the block key Kblc J_decrypted at 

step S241j_ is used to decrypt the block data. Furthermore, at 
step S243, the content (program or data) is executed and 
reproduced. The processing from steps S217 to S243 is repeated 
for all the blocks. When it is determined at step S244 that 
all the blocks have been read out, the reproduction process is 
ended . 

[0658] As described above, the process for the format type 

2 omits the process for verifying the integrity check value^ 
such as the total integrity check value. It thus provides a 
configuration suitable for executing the decryption process at 
a high speedy and a format suitable for processing data such 
as music data which requires real-time processing. 

[0659] Next, the process for reproducing content data of 

format type 3 will be described with reference to Fig. 45. The 
following description will focus on differences from the above 
described reproduction process for the format types 0, 1, and 
2. 

[0660] The process for the format type 3 essentially has 

many characteristics in common with that for the format type 
2 7 — . but Format type 3 differs therefrom in that, as described 
in Fig. 35, the format type 3 has no content key . in — that 
tThe block key Kblc is stored in the recording device 400 
after encryption with the storage key Kstr. 

[0661] Between steps S201 and S210, processing at steps 

S251, S252, S253, and S254 is configured to omit the use of 
the content key , which is contrary to the corresponding 
processing for the formats 0, 1, and 2. 
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[0662] At step S251, the control section 301 of the 

recording and reproducing device 300 takes out, from the read- 
out header, the block information table key Kbit encrypted 
with — the — storage — key — Kotr — unique — fee — fcke — recording — device — and 
then transmits this key to the recording device 400 . This is 
done via the recording device controller 303 of the recording 
and reproducing device 300. Kbit is encrypted with the storage 
key Kstr unique to the recording device 400. 

[0663] On receiving the block information table key Kbit 

transmitted from the recording and reproducing device 300, the 
recording device 400 causes the encryption/decryption section 
406 of the recording device cryptography process section 401 
to decrypt the received data with the storage key Kstr unique 
— the — recording device which is — stored in the — internal memory 
4-0-5 — — the — recording — devic e — cryptography — process — section — 4-04- 
and to then reencrypt the decrypted data using the session key 
Kses . Kses is unique to the recording device 400, and is 
stored in the internal memory 4 05 of the recording device 
cryptography process section 401. — Kses is m ade sharable 

during fcke mutual authentication. This process is as 

previously described in detail in (9) Key Exchange Process 
after Mutual Authentication. 

[0664] At step S252, the control section 301 of the 

recording and reproducing device 300 receives the block 
information table key Kbit J_reencrypted with the session key 
KsesJ_, from the recording device 400 . Kbit is received via the 
recording device controller 303 of the recording and 
reproducing device 300. 

[0665] Then at step S253, the control section 301 of the 

recording and reproducing device 300 transmits the received 
block information table key Kbit Ueencrypted with the session 
key KsesJ_, to the recording and reproducing device 
cryptography process section 302 of the recording and 
reproducing device 300. On receiving the block information 
table key Kbit jreencrypted with the session key Kses the 
content block_)_, the recording and reproducing device 
cryptography process section 302 of the recording and 
reproducing device 300 causes the encryption/decryption 
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section 308 of the recording and reproducing device 
cryptography process section 302 to decrypt this block 
information table key Kbit with the session key Kses — made 
oharablc during the mutual authentication . 

[0666] Further at step S208, the decrypted block 

information table key Kbit is used to decrypt the block 
information read out at step S202. The recording and 
reproducing device cryptography process section 302 of the 
recording and reproducing device 300 replaces the decrypted 
block information table key Kbit and block information table 
BIT with the block information table key Kbit and block 
information table BIT_^ contained in the header read out at 
step S202, to hold the latter. Additionally, the control 
section 301 of the recording and reproducing device 300 reads 
the decrypted block information table BIT out from the 
recording and reproducing device cryptography process section 
302 of the recording and reproducing device 300. 

[0667] Further, at step S254, the control section 306 of 

the recording and reproducing device cryptography process 
section 302 generates the integrity check value B(ICVb') from 
the block information table key Kbit and the block information 
table (BIT) . The integrity check value B , ICVb 1 , is generated, 
as shown in Fig. 24, by using as a key the integrity^check- 
value-B-generating key Kicvb stored in — t-he — internal memory — 

— feke — recording — a-ftd — reproducing — device — cryptography — process 
s e ction — 302 , — to decrypt the exclusive-ORed value comprising 
the block information table key Kbit and the block information 
table (BIT), based on the DES . Kicvb is stored in the internal 
memory 307 of the recording and reproducing device 
cryptography process section 302. Then at step S210, the 
integrity check value B , ICVb 1 , and the ICVb in the header are 
compared together, and if they are equal, the process proceeds 
to step S211. 

[0668] With the format type 3, the block key is further 

encrypted with the storage key when stored in the recording 
device 400 , thereby requiring the recording device 400 to 
execute a decryption processes with the storage key and the 
session key Kses . It and also requiring requires the recording 
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and reproducing device 300 to execute a decryption process 
with the session key. This series of steps corresponds to the 
process steps shown as steps S255 and S256. 

[0669] At step S255, the control section 301 of the 
recording and reproducing device 300 takes out, from the read- 
out header, the block key Kblc Jencrypted with the storage key 
Kstr , which is unique to the recording device which — that has 
been read out at step S217|_ and then transmits this key to the 
recording device 400 via the recording device controller 303 
of the recording and reproducing device 300. 

[0670] On receiving the block key Kblc transmitted from the 
recording and reproducing device 300, the recording device 400 
causes the encryption/decryption section 406 of the recording 
device cryptography process section 401 to decrypt the 

received data with the storage key Kstr^ unique fee fe&e 

recording device which is stored in the internal memory 405 of 
the — recording — device — cryptography — process — section — 4-04 — and — fee 
It then reencrypts the decrypted data using the session key 
Kses that was m ade sharable during the mutual authentication. 
Kstr is unique to the recording device which is stored in the 
internal memory 405 of the recording device cryptography 
process section 401. This process is as previously described 
in detail in (9) Key Exchange Process after Mutual 
Authentication . 

[0671] At step S256, the control section 301 of the 

recording and reproducing device 300 receives the block key 
Kblc J_reencrypted with the session key Kses_)_, from the 
recording device 400 via the recording device controller 303 
of the recording and reproducing device 300. 

[0672] Then, at step S257, the cryptography process section 
306 of the recording and reproducing device 300 decrypts the 
block key Kblc using the session key Kses. 

[0673] Then at step S242, the block key Kblc_^_ decrypted at 

step S257_^_ is used to decrypt the block data. Furthermore, at 
step S243, the content (program or data) is executed and 
reproduced. The processing from steps S217 to S243 is repeated 
for all the blocks. When it is determined at step S244 that 
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all the blocks have been read out, the reproduction process is 
ended . 

[0674] The process for reproducing a content of the format 
type 3 has been described. The format type 3 is similar to the 
format type 2 in that the process for verifying the total 
integrity check value is omitted - However, format type 3 7 — 
provides a processing configuration with a higher security 
level due to the inclusion of the process for exchanging the 
block key Kblc . 

(11) Process Executed by Content Provider to Generate Integrity 
Check Value (ICV) 

[0675] In the above described embodiments, the verification 

processes with the various integrity check values ICV are 
executed during downloading or reproducing rcproduction — — a 
content. Aspects of the process for generating the integrity 
check values ICV and the verification process will be 
described below. 

[0676] First, each of the integrity check values explained 

in the embodiments will be described in brief. The following 
integrity check values^ ICV_^ are used in the data processing 
apparatus according to the present invention. 

[0677] Integrity check value A, ICVa-^ is the integrity 

check value for verifying that the content ID and usage policy 
in the content data have not been tampered with , 

[0678] Integrity check value B, ICVb-=- is the integrity 

check value for verifying that the block information table key 
Kbit, the content key Kcon, and the block information table 
have not been tampered with . 

[0679] Content integrity check value ICVi-i- is the integrity 

check value for verifying that each content block of the 
content has not been tampered with . 

[0680] Total integrity check value ICVt-v - is the integrity 
check value for verifying that the integrity check value ICVa, 
the integrity . check value ICVb, and all the integrity check 
values for the content blocks have not been tampered with . 
[0681] Integrity check value ICVdev_^ unique to the 

recording and reproducing device 300 -h is the integrity check 
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value that is replaced with the total integrity check value 
ICVt if the localization flag is set to 1^— T^-hat is, the 
content can be used only by a particular recording and 

reproducing device 300 . a**d that lt is generated as an 

integrity check value for the previously described integrity 
check value A~j_ ICVa, integrity check value B-: — , ICVb, and 
integrity check value ICVi contained in each block of the 
content to be checked. 

[0682] Depending on the format, f*e£ — the — check — value — fe^ 

each — content — block — but — the — content — itself — i-s — checked — by — the 
integrity check values ICVt and ICVdev check the content 
itself, not the check value for each content block . 
[0683] Each of the above integrity check values is used in 

the data processing apparatus according to the present 
invention. Of these integrity check values, the integrity 
check values A (IVCa) and B ( IVCb) , the total integrity check 
value ( IVCt ) , and the content integrity check value are 
generated by a content provider J_for providing content data_)_ 
or a content manager J_based on data to be verifiedj_, as shown, 
for example, in Figs. 32 to 35 and 6^ and They are stored in 
the data together with the content before being provided to a 
user of the recording and reproducing device 300. When 
downloading or reproducing the content to or from the 
recording device, the user of the recording arid reproducing 

device 300 7 that — — (i.e., the content user_)_ generates 

verifying ICVs Jbased on each data to be verifiedj_, to compare 
them with the stored ICVs. Additionally, the integrity check 
value ICVdev_^_ unique to the reproducing device 400, is 
replaced with the total integrity check value ICVt . And lt is 
then stored in the recording device 400 if it is shown that 
the content can be used only by this recording and reproducing 
device 300 . 

[0684] In the ab o v e above - de scribed embodiments, the 

processes for generating the integrity check values are 
principally based on the DES-CBC. The present invention, 
however, is not limited to the above — above- described method^ 
but includes various ICV-generating and —verifying process 
aspects. In particular, for the relationship between the 
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content provider or manager and the content user, the 
following various ICV-generating and —verifying process 
configurations are possible. 

[0685] Figs. 46 to 48 are views useful explaining 

illustrating a generation process executed by a generator of 
the integrity check value ICV and a verification process 
executed by a verifier. 

[0686] Fig. 46 shows a configuration wherein, for example, 

an ICV generator J^who is a content provider or managerj_ 
executes the process for generating the ICV based on the DES- 
CBC as described in the above embodiments^ — and — It then 
provides the generated ICV to a recording and reproducing 
device user, that is, a verifier together with the content. In 
this case, for the verification process, the recording and 
reproducing device user_ 7 — that — i-s-? — fefee — verifier requires 7 — 
example, the keys stored in the internal memory 307 Jjshown in 
Fig. 18 )_ for generating the corresponding integrity check 
values. The verifier (recording and reproducing device user) 
who is the content user uses the integrity-check-value- 
generating key stored in the internal memory 307 to apply the 
DES-CBC to data to be verified in order to generate the 
integrity check values^ and It then compares these values 
with stored integrity check values. In this case, each 
integrity-check-value-generating key is configured so as to be 
secretly shared by the ICV creator and the verifier. 

[0687] Fig. 47 shows a configuration wherein the ICV 

creator J_who is the content provider or managerj_ generates 
ICVs using a digital signature of a public key cryptosystem 
and then provides the generated ICVs to the content user^- 
that — arS-7 — the — verifier — together — with — th e — content — and — wherein 
tfee — content — user, — that — i-5-7 — £ T he verifier content user stores 
the public key of the ICV creator and uses this key to verify 
the ICVs. In this case, the public key of the ICV creator^ 
which is held by the content user (recording and reproducing 
device user) , that is, — fc-he — verifi e r — need not be secret T this 
resulting — results in easier management. This aspect is thus 
suitable for ICV generation and management executed at a high 
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security management level, for example, that executed in one 
entity . 

[0688] In Fig. 48, the ICV creator Jwho is the content 

provider or managerj_ generates ICVs using a digital signature 
of a public key cryptosystem 7 — It then provides the generated 
ICVs to the content user 7 — that — is-? — fcke — verifier together with 
the content^— further stores a public key used by — fcke — verifier 

for verification, in a public key certificate (see, for 

example, Fig. 14)j_— and then provides this key to the 
recording and reproducing device user 7 — that — is-7 — trhe — verifier . 
With a plurality of ICV creators, each creator has a key 
managing center create data (a public key certificate) for 
certifying the validity of the public key. 

[0689] The content user wke — is — J_the ICV verifier^ has a 

public key of the key managing center. The IVC verifier 
verifies the public key certificate using the public key of 
the key managing center, and , if its validity has been 
ascertained, takes out the public key of the ICV creator 
stored in the public key certificate — if — its — validity — h-as — been 
ascertained . The verifier further verifies the ICVs using the 
taken-out public key of the ICV creator. 

[0690] This method is an — aspect — useful if a plurality of 
ICV creators are present and if a center for managing these 
creators has an established management system. 

(12) Configuration for Generating Cryptography Process Keys 
Based on Master Keys 

[0691] A configuration for generating various cryptography 

process keys based on the master keysT — which — configuration — ±-s 
characteristic — oS — fe-he — present — data — proc e ssing — system, — _will be 
described below. 

[0692] As previously described with reference to Fig. 18, 
the internal memory 307 of the recording and reproducing 
device 300 in the present data processing apparatus stores the 
various master keys . E 7 — each of the various master keys which 
is — can be used, for example, to generate the authentication 
key Kate (see Equation 3) or the distribution key Kdis (see 
Equation 4 ) . 
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[0693] When cryptography communication, mutual 

authentication, MAC generation, verification, or the like is 

carried out between two entities, that i-s-y fefee content 

provider a-nd fc&e content provider, e-r fc-h-e recording and 

reproducing — device — 3-0-0 — a**d — fe-he — recording — device — 400 — i-n — fe4*e 

present data processing apparatus, these entities 

conventionally hold secret information common to them, for 
examplc such as , key information. The entities may be, for 
example, the content provider, the recording and reproducing 
device 300 , and the recording device 400 in the present data 
processing apparatus . Additionally, when the above process is 
carried out between one and many entities, J_for example, one 
content provider and many content users, or one recording and 
reproducing device and many recording media-? — ) these entities 
conventionally store and hold secret information common to all 
the entities^— that That is, secret information common to many 
content users or many recording media, or one content provider 
individually manages and uses secret information (ex. key) for 
each of many content users. 

[0694] With the one-to-many relationship as described above, 
however, the configuration owning secret information (key) 
shared by all the entities is disadvantageous in that leakage 
of the secret from one entity affects all the other entities 
using the same secret information (ex. key) . In addition, when 

one manager, fo r e xample, such as a content provider 

individually manages and uses secret information for each 
content user, a list is required which that serves to identify 
all the users and which — that associates this identification 

data with unique secret information (ex. keys-h ) . This 

thereby — advantageously — increasing — increases list maintaining 
and managing burdens in proportion to the number of users. 
[0695] The data processing apparatus according to the 
present invention has solved such — a conventional — problem with 
: tfee — sharing e£ — secret information between entities using a 
configuration for holding the master keys and generating 
various individual keys therefrom. This configuration will be 
described below. 
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[0696] In the data processing apparatus according to the 

present invention, if different individual keys are required 
for various cryptography processes, authentication processes, 
and the like between recording devices, media storing contents, 
or recording and reproducing devices, these individual keys 
are generated using individual information such as identifier 
data (ID) unique to the devices or media and an individual-key 
generating method ^previously determined in the recording and 
reproducing device 300J_. With this configuration, if any 
individual key generated should be identified, damage to the 
entire system can be precluded by preventing the corresponding 
master key from leaking. In addition, the configuration for 
generating the keys from the master keys eliminates the needs 
for the association list. 

[0697] A specific example of configuration will be 
described with reference to the drawings. Fig. 49 is — a — view 

useful i-n explaining thc illustrates a configuration for 

generating various keys using the various master keys held by 
the recording and reproducing device 300. The medium 500 and 
the communication means 600 ±fi — Fig . — 4-9 — input contents- as in 
the already described embodiments. The content is encrypted by 
the content key Kcon, which is in turn encrypted by the 
distribution key Kdis. 

[0698] For example, if the recording and reproducing device 

300 attempts to take a content out from the medium 500 or the 
communication means 600 and download it to the recording 
device 400, the recording and reproducing device 300 must 
obtain the distribution key Kdis that has encrypted the 
content key as previously described in Figs. 2 and 39 to 41. 
Although the key Kdis can be directly obtained from the medium 
500 or the communication means 600 or the recording and 
reproducing device 300 can obtain and store it in its memory 
beforehand, the configuration for distributing such a key to 
many users may be subjected to leakage, which may affect the 
entire system, as described above. 

[0699] The data processing system according to the present 

invention is configured to generate the distribution key Kdis 
by applying a master key MKdis for the distribution key stored 
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in the memory of the recording and reproducing device 300 as 
well as a process based on the content ID7 — that — That is, 
Kdis = DES (MKdis, content ID) , as shown in the lower part of 
Fig. 49. In a content distributing configuration between a 
content provider providing contents from the medium 50 0 or the 
communication means 600 and the recording and reproducing 
device 300— (where recording and reproducing device 30 0 which 
is a content user]_, despite a large number of content 
providers, this configuration enables advanced security to be 
maintained without the need to distribute the individual 
distribution keys Kdis via the mediu m 50 0 , the communication 
means 6OO 7- or the like^_ or to store them in each recording and 
reproducing device 300. 

[0700] Next, the generation of the authentication key Kakae 

will be explained. In downloading a content from the recording 
and reproducing device 300 to the recording medium 400 J_as 
previously described in Figs. 22 and 39 to 41J_^_ or causing the 
recording and reproducing device 300 to execute and reproduce 
a content stored in the recording medium 400 J_as described in 
Figs. 42 to 45_)_, the recording and reproducing device 300 and 
the recording medium 400 must execute 'the mutual 
authentication process (see Fig. 20). 

[0701] As described in Fig. 20, this authentication process 

requires the recording and reproducing device 300 to have the 
authentication key Kake. Although the recording and 

reproducing device 300 can obtain the authentication key 
directly from, for example, the recording medium 400 or can 
obtain and store it in its memory beforehand, the 
configuration for distributing such a key to many users may be 
subjected to leakage . Leakage 7 — which may affect the entire 
system, as in the above^ — described configuration for the 
distribution key. 

[0702] The data processing system according to the present 

invention is configured to obtain the authentication key Kake 
by applying a master key MKake for the distribution key stored 
in the memory of the recording and reproducing device 300^_ as 
well as a process based on the recording device ID: IDmem 7 — ^ 
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That that is, Kake = DES (MKake, IDmem) , as shown in the lower 
part of Fig. 49. 

[0703] Further, in downloading a— content from the recording 

and reproducing device 300 to the recording medium 4 00 J^as 
previously described in Figs. 22 and 39 to 41)_ or causing the 
recording and reproducing device 300 to execute and reproduce 
a — content stored in the recording medium 400 _[as described in 
Fig. 28, Figs. 42 to 45)_, a configuration similar to that for 
the distribution or authentication key described above can be 
used for the recording and reproducing device signature key 
Kdev that is required to generate the integrity check value 
ICVdev unique to the recording and reproducing device 300 if 
the content can be used only by a particular recording and 
reproducing device 300 . In the above described embodiments, 
the recording and reproducing device signature key Kdev is 
stored in the internal memory 7 — However, b u^t if the master key 
Mkdev for the recording and reproducing device signature key 
is stored in the memory whereas the recording and reproducing 
device signature key Kdev is not stored therein^ and if the 
recording and reproducing device signature key Kdev is 
obtained by means of Kdes = DES (MKdev, IDdev) based on the 
recording and reproducing device identifiers- Iddev^ and the 
master key MKdev for the recording and reproducing device 
signature key, as required— J_as shown in the lower part of Fig 
49J_/ then it advantageously becomes unnecessary for each 
apparatus to have the recording and reproducing device 
signature key Kdev. 

[0704] In this manner, the data processing apparatus 

according to the present invention is configured to 
sequentially generate information from the master keys and 
each ID7 — The information is, for example, ouch — as — a key 
which is required for the cryptography information process 
between two entities^ such — as- The entities may be, by way of 
example, the provider and the recording and reproducing device 
300, or the recording and reproducing device 300 and the 
recording device 400 . Consequently, even if the key 

information leaks from each entity, the range of damage 
incurred by the individual keys is further limited . It 7 — a&dt 
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4^ — also becomes unnecessary to manage key lists for the 
individual entities as described above. 

[0705] A plurality of examples of processes relating to 
this configuration will be explained by — showing — a — f low with 
flowcharts . Fig. 50 shows examples of a process executed by 
the content producer or manager to decrypt a — content or the 
like using a master key . Fig. 50 also illustrates — a**d — a 
process executed by a user device- J^for example, the recording 
and reproducing device 300 in the above described embodiment^ 
to decrypt the encrypted data using the master key. 

[0706] At step S501, a content producer or manager imparts 
an identifier (content identifier) to a— content . At step S502, 
the content producer or manager generates a key for encrypting 
a — content or the like_^ based on its owned master key and a 
content ID. At this step, if the distribution key Kdis is to 
be generated, it is generated based on the above — above- 
described Kdis = DES (MKdis, medium ID). Then at step S503, 
the content producer or manager uses a key (for example, the 
distribution key Kdis) to encrypt part or all of the content 
stored in the medium. The content producer supplies the 
content encrypted through these steps, via the medium 500 such 
as a DVD, the communication means 600 , or the like. 

[0707] Or — feke — other — hand, aAt step S504, a user device 

_[such as the recording and reproducing device 300J_ reads the 
content ID from the content data received via the medium 500 
such as a DVD, the communication means 600 , or the like. Then 
at step S505, the user device generates a key applied to 
decryption of the encrypted content based on the read-out 
medium ID and its owned master key. If the distribution key 
Kdis is to be obtained, this generation process corresponds to, 
for example, the distribution key Kdis = DES (MKdis, medium 
ID) . At step S506, the user device uses this key to decrypt 
the content 7 — e-re-d — aAt step S507, uses, — that — is-* — the user 
devices reproduces the decrypted content or execute the 
program. 

[0708] In this example, as shown in the lower part of Fig. 

50, both the content producer or manager and the user device 
have the master key (for example, the distribution-key- 
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generating master key MKdis) to sequentially generate the 
distribution key required to encrypt or decrypt the content 
based on their owned master key and each ID (medium ID) . 
[0709] With this system, if the distribution key leaks to a 

third person, the third person can decrypt that content^ 

However, 7 but — contents stored in other media 500 with 

different content IDs can be prevented from decryption — This 

thereby minimizing minimizes the adverse effects of the 

leakage of one content key on the entire system. Additionally, 
this system does not require the user device— J^that is, the 
recording and reproducing device 300) to hold a key 
associating list for each mediu m 50 0 . 

[0710] An example where the content producer or manager 

holds a plurality of master keys to execute a process 
depending on a content distribution destination is provided 
with reference to Figs^ 51- 52 . 

[0711] In Fig. 51, Step step S511, executed by the content 

producer or manager^ comprises imparting an identifier 

(content ID) to the content. Step S512 comprises selecting one 
of a plurality of master keys (for example, a plurality of 
distribution-key-generating master keys MKdis) held by the 
content producer or manager. Although described in further 
detail with reference to Fig. 52, this selection process 
comprises setting an applied master key beforehand for each of 
the countries to which content users belong, each apparatus 
type, or each apparatus version^ and executing the master keys 
in accordance with the settings . 

[0712] Then at step S513, the content producer or manager 

generates an encryption key based on the master key selected 
at step S512 and the content ID determined at step S511. If, 
for example, the distribution key Kdis is to be generated, it 
is generated based on the above described Kdis = DES (MKdis, 
medium ID). Then at step S514, the content producer or manager 
uses a key (for example, the distribution key Kdisi) to 
encrypt part or all of the content stored in the medium. At 
step S515, the content producer distributes the encrypted 
content via the medium 500 such as a DVD, the communication 
means 600 , or the like, using a distribution unit . The 
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distribution unit comprising — comprises the content ID, the 
master-key-generating information used T and the encrypted 
content . 

[0713] On the other hand, at step S516, for example, the 
user device _^such as a recording and reproducing device 300J_ 
determines whether or not its holds the master key 
corresponding the master key ID in the content data 
distributed by the medium 500 ( such as a DVD|_ or by the 
communication means 600 . If it does not have the master key 
corresponding to the master key ID in the content data, the 
distributed content cannot be used by this user device and the 
process is ended. 

[0714] If the user device has the master key corresponding 

to the master key ID in the content data, then at step S517t- 
it reads the content ID out from the content data received via 
the mediu m 50 0 , the communication means 600 , or the like. Then 
at step S518, the user device generates a key applied to 
decryption of the encrypted content based on the read-out 
content ID and its held master key. This process is a 
distribution-key Kdisi = DES (Mkdisi, contents ID) if it 
intends to get a distribution key Kdisi. At step S519_^ 
contents — a^e is decrypted by means of the Kdisi key. At step 

S520 decrypted contents are used 7 that — is-y reproduction — 

program is — performed . 

[0715] In this example, as shown in the lower part of Fig. 

51, the content producer or manager has a master key set 
comprising a plurality of master keys 7 — The master key set 
includes, for example, distribution-key-generating master keys 
MKdis 1 to ftN. On the other hand, the user device has one 

master key_. ~, f-For example, the user device has one 

distribution-key-generating master key KKdisi — MKdisi so that 
it can decrypt the content only when the content producer or 
manager has used the key KKdisi MKdisi for the encryption. 

[0716] Fig. 52 shows an example where master keys varying 
depending on the country is — applied , as a specific example of 
the aspect shown in the flow in Fig. 51. The content provider 
has master keys MK1 to b- MKN , of which the key MK1 is used to 
generate keys for encrypting contents- distributed to user 
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devices for Japan. For example, an encryption key Kl is 
generated from a content ID and the key MK1 and then user used 
to encrypt a— content . The master keys MK1 to R-MKN_are further 
set such that the key MK2 is used to generate keys for 
encrypting contents- distributed to user devices for the U.S., 
and the key MK3 is used to generate keys for encrypting 
contents distributed to user devices for the EU (Europe) . 

[0717] On the — other hand, — #For user devices for Japan, Japan, 

for instance, specifically, — recording and reproducing devices 
300 such as PCs or game apparatuses which are sold in Japan, 
the master key MK1 is stored in their internal memories, for 
user devices for the U.S., the master key MK2 is stored in 
their internal memories 307 , and for user devices for the EU, 
the master key MK3 is stored in their internal memories 307 . 

[0718] With this configuration, the content provider 
selectively uses one of the master keys MKl to n— MKN depending 
on user devices that can use one a — content, in order to 
encrypt the content to be distributed to the user devices. For 
example, to allow the content to be used only by the user 
devices for Japan, the master key Kl J_generated using the 
master key MK1_)_ is used to encrypt the content. This encrypted 
content can be decrypted using the master key MKl stored in 

the user devices for Japan 7 T^ that is, MKl allows a 

decryption key to be generated —. In contrast, whereas the key 
Kl cannot be obtained from the master keys MK2 and MK3 ^stored 
in the user devices for the U.S. and EU, respectively^, 
thereby preventing the encrypted content from being decrypted. 

[0719] In this manner, the content provider can selectively 

use a plurality of master keys to set localization for various 
contents. Fig. 52 shows an example where the different master 
keys are used for the different countries to which the user 
devices belong, but various use forms are possible-; — F- for 
example, the master key can be switched depending on the type 
of the user device or its version, as described above. 

[0720] Next, Fig. 53 shows an example of a process where an 
identifier unique to a mediu m 500 , that — ±s-r (i.e., a medium ID_)_ 
and a master key are combined together. Here, the mediu m 500 
refers to, for example, DVDs or CDs in which contents — a^e is 
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stored. The medium ID may be unique to individual media 500 , 
the titles of contents such as movies, or individual medium 
manufacturing lots. In this manner, medium IDs may be assigned 
in various manners . 

[0721] At step S521, a medium producer or manager 
determines an identifier (medium identifier) for a mediu m 500 . 
At step S522, the medium producer or manager generates a key 
for encrypting a— content stored in the medium 500 based on its 
owned master key and a medium ID. At this step, if, for 
example, the distribution key Kdis is to be generated, it is 
generated based on the above described Kdis = DES (MKdis, 
medium ID) . Then at step S523, the medium producer or manager 
uses a key (for example, the distribution key Kdis) to encrypt 
part or all of the content stored in the mediu m 50 0 . The 
medium producer supplies^ through these steps the medium 500 
storing the content encrypted through these steps . 

[0722] On the other hand, at step S524, a user device such 

as the recording and reproducing device 300 reads the medium 
ID from the supplied mediu m 500 . Then at step S525, the user 
device generates a key applied to decryption of the encrypted 
content based on the read-out medium ID and its owned master 
key. If the distribution key Kdis is to be obtained, this 
generation process corresponds to, for example, the 
distribution key Kdis = DES (MKdis, medium ID) . At step S526, 
the user device uses this key to decrypt the content^ — and — a 
At step S527, uses , the user device uses the content . that That 
is, the user device reproduces the decrypted content or 
executes the program. 

[0723] In this example, as shown in the lower part of Fig. 

53, both the medium producer or manager and the user device 
have the master key (for example, the distribution-key- 
generating master key MKdis) to sequentially generate the 
distribution key required to encrypt or decrypt the content 
based on their owned master key and each ID (medium ID) . 

[0724] With this system, if any medium key leaks to a third 
person, the third person can decrypt the content in the medium 
500 , but contents- stored in other media 500 with different 
medium IDs can be prevented from decryptionT — thereby — This 
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minimi 2 es ing the adverse effects of the leakage of one medium 
key on the entire system. Additionally, this system does not 
require the user device, that is, the recording and 
reproducing device 300, to hold a key associating list for 
each mediu m 500 . Further, the size of a— content encrypted with 
one medium key is limited to a capacity that can be stored 
within that mediu m 5 00 , so that there is a slim possibility 
that the content reaches the amount of information required to 
attack the encrypted text . -, — thcrcby This further reduces^ 
the possibility of decrypting the encrypted text. 
[0725] Next, Fig. 54 shows an example of a process where an 
identifier unique to the recording and reproducing device 300 , 
that — 3tSt — a — recording — and — reproducing — device — I-B — and a master 
key are combined together. 

[0726] At step S531, a recording and reproducing device 
user generates a key for encrypting a — content or the like 
based on a master key and a recording and reproducing device 
ID . This information can be stored, for example, in the 
internal memory 307 of the recording and reproducing device 
300 . If, for example, the content key Kcon is to be obtained, 
this generation process corresponds to Kcon = DES (MKcon, 
recording and reproducing device ID) . Then at step S532, the 
user uses a key (form example, the distribution key Kcon) to 
decrypt the content. At step S533, the user stores the 
encrypted content in the recording and reproducing device 300 , 
such as a hard disk. 

[0727] On the other hand, when the recording and 

reproducing device user that has stored the content requests 
the stored data to be recovered, a system manager for managing 
the recording and reproducing device 300 reads a recording and 
reproducing device ID from the recording and reproducing 
device in step S534 . Then at step S535, the system manager 
generates a key applied to recovery of the encrypted content^ 
based on the read-out recording and reproducing device ID and 
its owned master key. If the content key Kcon is to be 
obtained, this generation process corresponds to, for example, 
the content key Kcon = DES (MKcon, recording and reproducing 
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device ID) . At step S536, the user device uses this key to 
decrypt the content. 

[0728] In this example, as shown in the lower part of Fig. 

54, both the recording and reproducing device user and the 
system manager have the master key (for example, the content- 
key-generating master key MKcon) to sequentially generate the 
distribution key required to encrypt or decrypt the content 
based on their owned master key and each ID (recording and 
reproducing device ID) . 

[0729] With this system, if the content key leaks to a 

third person, the third person can decrypt that content, but 
contents stored in other media 500 with different recording 
and reproducing device IDs can be prevented from decryption^ 
This 7 — th e r e by m inimi zes ing the adverse effects of the leakage 
of one content key on the entire system. Additionally, this 
system does not require the system manager or the user device 
to hold a key associating list for each mediu m 500 . 
[0730] Fig. 55 shows a configuration wherein an 

authentication key used for a mutual authentication process 
between a slave device, J_for example, the recording a**d 
reproducing — device 400, such as a memory card_)_ and a host 
device, J_for example, the recording and reproducing device 
300) is generated based on a master key. Although in the 
previously described authentication process (see Fig. 20), the 
authentication key is stored in the internal memory 405 of the 
slave device in advance, it can be generated during the 
authentication process based on the master key as shown in Fig 
55 . 

[0731] For example, at step S541, the slave device that is 

the recording device 400 generates, as an initialization 
process before starting the authentication process, the 
authentication key Kake . Kake is for use in the mutual 
authentication process based on the master key and slave 
device ID stored in the internal memory 105 of the slave 
device that is the recording device 400 . The authentication 
key is generated based on Kake = DES (MKake, slave device ID) . 
Then at step S542, the generated authentication key is stored 
in the memory. 
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[0732] On the other hand, at step S543, the host device 

such as the recording and reproducing device 300, reads a 
slave device ID out from the installed recording device 400 — 
J_that is, the slave device) , via the communication means. Then 
at step S544, the host device generates a authentication key 
applied to a mutual authentication process based on the read- 
out slave device ID and its owned authentication-key- 
generating master key. This generation process corresponds to, 
for example, the authentication key Kake = DES (MKake, slave 
device ID) . At step S545, this authentication key is used to 
execute the authentication process. 

[0733] In this example, as shown in the lower part of Fig. 

55, both the slave device and the master device have the 
master key— J_that is, the authentication-key-generating master 
key MkakeJ_ to sequentially generate the distribution key 
required for the authentication process based on their owned 
master key and the slave device ID. 

[0734] With this system, if the authentication key leaks to 
a third person, this authentication key is effective only on 
the corresponding slave device and authentication is not 
established with other slave devices, thereby minimizing the 
adverse effects of the leakage of the key. 

[0735] As described above, the data processing apparatus 
according to the present invention is configured so that the 
information such as the key which is required for the 
procedure for the cryptography information process between the 
two entities such as the content provider and the recording 
and reproducing device, or the recording and reproducing 
device and the recording device. Thus, even if the key 
information leaks from each entity, the range of damage 
incurred by the individual keys is further limited 7 — and i lt 
also becomes unnecessary to manage key lists for the 
individual entities as described above. 

(13) Control of Cryptography Intensity in Cryptography Process 
[0736] In the above described embodiments, the cryptography 

process between the recording and reproducing device 300 and 
the recording device 400 is principally described in 
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conjunction with the example using the cryptography process 
based on the single DES configuration described with reference 
to Fig. 7. The encryption process method applied to the 
present data processing apparatus is not limited to the above 
described Single DES . — bu-t — aAny encryption method may be 
employed depending on a required security state. 

[0737] For example, the Triple DES method^ configured as 

shown in the previously described Figs. 8 to 10^ is applicable 
For example, both the cryptography process section 302 of the 
recording and reproducing device 300 and the cryptography 
process section 401 of the recording device 400 shown in Fig. 

3 can be configured so as to execute the Triple DES method so 
that a process can be executed which corresponds to the 
cryptography process based on the Triple DES method described 
in Figs. 8 to 10. 

[0738] The content provider, however, may give top priority 
to processing speed ^dependent on the contentJ_ to use a 64-bit 
content key Kcon based on the Single DES method, or give-s top 
priority to security to use a 128- or 192-bit content key Kcon 
based on the Triple DES method. Accordingly, it is not 
preferable to configure the cryptography process section 302 
of the recording and reproducing device 300 and the 
cryptography process section 401 of the recording device 400 
so as to accommodate only one of the Triple and Single DES 
methods. Therefore, the cryptography process section 302 of 
the recording and reproducing device 300 and the cryptography 
process section 401 of the recording device 400 are desirably 
configured so as to accommodate both the Triple and Single DES 
methods . 

[0739] However, to configure the cryptography process 

section 302 of the recording and reproducing device 300 and 
the cryptography process section 401 of the recording device 

4 00 so as to execute both the Triple and Single DES methods, 
different circuits and logics must be configured for these 
cryptography process sections. For example, to allow the 
recording device 400 to execute a process corresponding to the 
Triple DES, a command set for the Triple DES must be stored in 
the command register as shown in ^the — above — Fig. 29. This may 
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complicate the process section configured in the recording 
device 400. 

[0740] Thus, for the present data processing apparatus, a 

configuration is proposed wherein the logic of the 
cryptography process section 401 of the recording device 400 
is configured to accommodate the Single DES, while executing a 
process corresponding to the Triple DES process to store data 

(keys, contents, or the like) encrypted based on the Triple 
.DES method — , in the external memory 4 02 of the recording 
device 400 . 

[0741] For example, in the — example — for the data format type 

0 shown in Fig. 32, when content data arc — is downloaded from 
the recording and reproducing device 300 to the recording 
device 400, the authentication process is executed at step 
S101 in the — previously — described Fig. 39 J_showing the flow of 
downloading data of the format type 0_)_, and the session key 
Kses is generated. Further, at step S117, the cryptography 
process section 302 of the recording and reproducing device 
300 encrypts the content key Kcon with the session key Kses^ 
It then — and — _transmits the encrypted key to the recording 
device 400 via the communication means 600 . At step S118, the 
cryptography process section 403 of the recording device 400t~ 
J_which has received the encrypted key_)_— decrypts the content 
key Kcon with the session key Kses . Cryptography process 
section —403 then further encrypts it with the storage key 
Kstr, and transmits the resulting key to the cryptography 
process section 302 — of — th e — r e cording — and — reproducing — device 
300 . The recording and reproducing device 300 subsequently 
forms a data format (step S 12 1 ) . It — and transmits formatted 
data to the recording device 400^7 — and T — the recording device 
400 stores the received data in the external memory 402. 

[0742] If the cryptography process executed between steps 

S117 and S118 of the above process ( by the cryptography 
process section 401 of the recording device 400J_ between — steps 

S117 and S118 e# the above process is configured to 

selectively execute either the Single or Triple DES method, 
the cryptography process section 401 works whether the content 
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provider provides content data using the content key Kcon in 
accordance with the Triple DES or the Single DES . 
[0743] Fig. 56 shows — a — flow useful — if* — cxplaining il lust rates 

a configuration for executing the cryptography process method 
in accordance with the Triple DES method 7 — This is done using 
both the cryptography process section 302 of the recording and 
reproducing device 300 and the cryptography process section 
401 of the recording device 400. Fig. 56 shows an example of a 
process for encrypting the content key Kcon with the storage 
key Kstr . The which process is executed in downloading content 
data from the recording and reproducing device 300 to the 
recording device 400. 7- wherein t The content key Kcon is based 
on the Triple DES method. Here, the example of the process for 
the content key Kcon is shown, but other keys or other data_^ 
such as contents content, can be similarly processed. 
[0744] The Triple DES method uses two or three keys in such 

a manner that a 64-bit key is used for the Single DES, while a 
128- or 192-bit key is used for the Triple DES, as previously 
described in Figs. 8 to 10. These three content keys Kcon are 
referred to as Kconl, Kcon2, and (Kcon3) or, alternatively, 
Kcl, Kc2 and (Kc3) as shown in Fig. 56 . The Kcon3 is shown in 
the parentheses because it may not be used. 

[0745] The process in Fig. 56 will be explained as follows . 
At step S301, the mutual authentication process is carried out 
between the recording and reproducing device 300 and the 
recording device 400. This mutual authentication process step 
is executed during the process as in the previously described 
Fig. 20. During this authentication process, the session key 
Kses is generated. 

[0746] Once the authentication process at step S301 has 

been completed, the integrity check values ICV _£including the 
integrity check values A and B, the content integrity check 
value, and the total integrity check valuej_ are collated. 
[0747] When all the check values^ -(-ICV-K_ have been collated^ 

and it has been determined that no data have been tampered 
with , the process proceeds to step S303 . In step S303, whero 
the control section 306 of the recording and reproducing 
device cryptography process section 302 e-f — the — recording — and 
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reproducing — device — — uses the encryption/decryption section 

30 8_£_ e£ — t-he recording — a-ftd — reproducing — device cryptography 

process — section — 302 — as well as the previously obtained or 
generated distribution key Kdis, to decrypt the content Kcon^ 
Kcon may be stored in the header section of the data obtained 
from the medium 500_^_ or received from the communication means 
600 via the communication section 305. The content key in this 
case is a triple DES type key, such as content keys Kconl, 
Kcon2, and (Kcon3) . 

[0748] Then at step S304, the control section 306 of the 

recording and reproducing device cryptography process section 
302 causes the encryption/decryption section 308 of the 
recording and reproducing device cryptography process section 
302 to encrypt only the content key Kconl of the content keys 
Kconl, Kcon2, and (Kcon3) decrypted at step S303t — This is 
done using the session key Kses made sharable during the 
mutual authentication . 

[0749] The control section 301 of the recording and 

reproducing device 300 reads data containing the content key 
Kconl ^encrypted with the session key Kses 7 — ) . The data is 
read out from the recording and reproducing device 
cryptography process section 302 of the recording and 
reproducing device 300. The control section 301 then transmits 
theise data to the recording device 400 via the recording 
device controller 303 of the recording and reproducing device 
300. 

[0750] Then at step S305— jon receiving the content key 
Kconl transmitted from the recording and reproducing device 
300_)_, the recording device 400 causes the 
encryption/decryption section 406 of the recording device 
cryptography process section 401 to decrypt the received 
content key Kconl using the session key Kses . Kses was made 
sharable during the mutual authentication. Further at step 
S306, the recording device 400 causes the 
encryption/decryption section 406 to reencrypt the decrypted 
content key with the storage key Kstr . Kstr is unique to the 
recording device 400. It which is stored in the internal memory 
405 of the recording device cryptography process— _. The 
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recording device 400 and then transmits the reencrypted key to 
the recording and reproducing device 300 via the communication 
section 404 . 

[0751] Then at step S307, the control section 306 of the 

recording and reproducing device cryptography process section 
302 causes the encryption/decryption section 308 of the 
recording and reproducing device cryptography process section 
302 to encrypt only the content key Kcon2 of the content keys 
Kconl, Kcon2, and (Kcon3) . This is decrypted — at — stop — S303, 
using done using the session key Kses , which was made sharable 
during the mutual authentication. 

[0752] The control section 301 of the recording and 

reproducing device 300 reads data containing the content key 
Kcon2 encrypted with the session key Kses, out from the 
recording and reproducing device cryptography process section 
302 of the recording and reproducing device 300. The control 
section 301 then transmits thie-se data to the recording device 
400 via the recording device controller 303 of the recording 
and reproducing device 300. 

[0753] Then at step S308, on receiving the content key 

Kcon2 transmitted from the recording and reproducing device 
300, the recording device 400 causes the encryption/decryption 
section 406 of the recording device cryptography process 
section 401 to decrypt the received content key Kcon2 . It is 
decrypted using the session key Kses , which was made sharable 
during the mutual authentication. Further at step S309, the 
recording device 400 causes the encryption/decryption section 
406 to reencrypt the decrypted content key with the storage 
key Kstr . Kstr is unique to the recording device, which and is 
stored in the internal memory 405 of the recording device 
cryptography process section 401 7 — Recording device 400 e f*d 
then transmits ' the reencrypted key to the recording and 
reproducing device 300 via the communication section 404. 
[0754] Then at step S310, the control section 306 of the 

recording and reproducing device cryptography process section 
302 causes the encryption/decryption section 308 of the 
recording and reproducing device cryptography process section 
302 to encrypt only the content key Kcon3 of the content keys 
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Kconl, Kcon2, and (KconS)^ dccryptod — a* — stop — S303, — This is 
performed using the session key Kses , which was made sharable 
during the mutual authentication. 

[0755] The control section 301 of the recording and 

reproducing device 300 reads data containing the content key 
Kcon3 J_encrypted with the session key KsesJ_— out from the 
recording and reproducing device cryptography process section 
302 of the recording and reproducing device 300. The control 
section 301 then transmits these — this data to the recording 
device 400 via the recording device controller 303 of the 
recording and reproducing device 300. 

[0756] Then at step S311, e-n — receiving — trhe — content — key 

Kcon3 — transmitted — from — fefee — recording — a**d — reproducing — device 
300, — the recording device 400 causes the encryption/decryption 
section 406 of the recording device cryptography process 
section 401 to decrypt the received content key Kcon3 using 

the session key Kses made sharable during fc&e mutual 

authentication ■ This is done on receiving , the content key 
Kcon3 that is transmitted from the recording and reproducing 
device 300. _Further_^ at step S312, the recording device 400 
causes the encryption/decryption section 406 to reencrypt the 
decrypted content key with the storage key Kstr . Kstr is 
unique to the recording device , and — which is stored in the 
internal memory 405 of the recording device cryptography 

process^ Recording device 400 7 a-ftd then transmits the 

reencrypted key to the recording and reproducing device 300 
via the communication section 404. 

[0757] Then at step S313, the cryptography process section 

of the recording and reproducing device 30 0 forms the various 
data formats described in Figs. 32 to 35 and transmits them to 
the recording device 400. 

[0758] Finally, at step S314, the recording device 400 

stores the received formatted data in the external memory 4 02. 
These This format data contains the content keys Kconl, Kcon2 , 
and (Kcon3) that were encrypted with the storage key Kstr. 
[0759] This process enables the content keys stored in the 

recording device 400 to be stored as keys based on the Triple 
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DES cryptosystem. If only two content keys Kconl and Kcon2 are 
used, the processing from steps S310 to S312 is omitted. 
[0760] As described above, the recording device 400 can 
store the keys with the Triple DES applied thereto in the 
memory by repeating processing of the same aspect 7 — T £-hat is, 
the process steps a^fe — steps — S305 and S306 can be performed 
plural times with only the target changed. If the Single DES 
is applied to the content keys Kcon, step;s S305 and S306 may 
be executed to carry out the formatting process at step S313 
before storing the keys in the memory. Such a configuration 
may store commands for executing the processing at steps S305 
and S306 in the command register , as in the previously 
described Fig. 29^ and execute this processing one to three 
times depending on the aspect of the key-? — that — That is, 
repeating the processing depends upon whether the key is based 
on the Triple or Single DES method. Accordingly, the processes 
based on both the Triple and Single DES methods can be 
executed without containing the Triple DES process method in 
the process logic of the recording device 400. In this regard, 
the cryptosystem may be recorded in the usage policy in the 
header section of the content data so as to be determined by 
referencing the usage policy. 

(14) Program Activation Process Based on Activation Priority in 
Usage Policy in Content Data 

[0761] As understood from the content data configurations 
in the previously described Figs. 4 to 6, the usage policy 
stored in the header section of the content data used in the 
present data processing apparatus contains the content type 
and the activation priority. With a plurality of accessible 
content data recorded in various recording media 500 such as 
the recording device 400, a DVD, a CD, a hard disk, or a game 
cartridge, the recording and reproducing device 300 in the 
present data processing apparatus determines the order in 
which these contents are activated, in accordance with the 
activation priority . 

[0762] The recording and reproducing device 300 executes 

the mutual authentication with various recording devices 400, 
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such as each — recording — devicc a DVD device, a CD drive device, 

and a hard disk drive device . Recording and reproducing device 
300 and then executes the program in the content data with the 
top priority in accordance with the priority in the content 
data. The "Program Activation Process Based on Activation 
Priority in Usage Policy in Content Data" will be explained 
below . 

[0763] The above description of the present data processing 

apparatus focuses on the process executed if the recording and 
reproducing device 300 reproduces and executes content data 
from the one recording device 400. However, the recording and 
reproducing device 300 is generally configured so as to access, 
in addition to the recording device 400, a DVD, a CD, and a 
hard disk via the read section 304 as well as recording media 
500 ( such as a memory card and a game cartridge^ which — that 
are connected via the PIO_lll or SIO_112. In Fig. 2, only one 
read section 304 is described in order to avoid complicating 
the drawing^ — T ^he recording and reproducing device 300 can 
have different recording media 500 , for example, a DVD, a CD, 
a floppy disk, and a hard disk_^_ installed therein in parallel. 
[0764] The recording and reproducing device 300 can access 

a plurality of recording media 500 , each of which store 
content data. Content data supplied by an external content 
provider^ such as a CD^_ are stored in the medium 500 in the 
data configuration shown in the previously described Fig. 4 or 
in each recording medium 500 ( such as a memory cardji_ in the 
content data configuration shown in Figs. 26 or 27^_ if the 
data are taken out from the medium 500 or downloaded via the 

communication means 600 . Furthermore, specif ically, the 

content data arc is stored on the medium 50 0 and the recording 
device 4 00 in different formats depending on the format type 
thereof, as shown in Figs. 32 to 35. In either case, the usage 
policy in the header of the content data contains the content 
type and the activation priority. 

[0765] A process executed by the recording and reproducing 
device 300, to activate a — content if a plurality of content 
data a^e — is accessible, will be explained in accordance with 
the flow Fig. 57 . 
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[0766] Fig. 57 shows a process flow showing an example (1) 

of a process where there is a plurality of contents- that can 
be activated. At step S611, recording devices 400 that are 
accessible to the recording and reproducing device 300 are 
authenticated. The accessible recording devices 400 include a 
memory card, a DVD device, a CD drive, a hard disc device, and 
a game cartridge or the like . which is They are connected, for 
example, via the parallel I/O, PIQ 111, or the serial I/O, SIO 
112 , as shown in Fig. 2 . Each recording device is 

authenticated under the control of the control section 301 
shown in Fig. 2, for example, in accordance with the procedure 
previously explained in Fig. 20. 

[0767] Next, at step S612, programs that can be activated 
are detected from the content data stored in the memory of the 
successfully authenticated recording device 400 . Specifically, 
this is executed as a process of extracting contents- for which 
the content type contained in the usage policy of the content 
data indicates a program. 

[0768] Then at step S613, the priority of the program that 
can be activated and which has been extracted at step S612 is 
determined . Step S613 selects the top priority. Specifically, 
this corresponds to a process of comparing the priorities 
contained in the usage policies in the headers of the 
plurality of content data that can be activated in step S612t- 

— select the top priority . 
[0769] Then at step S614, the selected program is activated 
If the plurality of programs that can be activated have the 
same priority, default priorities are set for the recording 
devices 4 00 so that the content program stored in the device 
with the top priority is executed. 

[0770] Fig. 58 shows an example (2) of a process where 

identifiers are set for a plurality of recording devices 400 
so that the authentication and the retrieval of a content 
program are sequentially executed for the recording devices 
400 with the identifiersT — T ^hat is, Fig 58 illustrates a 
process for a plurality of contents that can be activated. 
[0771] At step S621, recording devices 400 (i) installed in 
the recording and reproducing device 300 are authenticated. A 
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plurality of (n) recording devices 400 are sequentially 
imparted with identifiers 1 to n. 

[0772] At step S622, it is determined whether or not the 
authentication at step S621 has been successful . If 7 — and if so, 
the process proceeds to step S623^_ where programs that can be 
activated are retrieved from the recording media of the 
recording devices 400 (i ) ■ If the authentication has failed, 
the process proceeds to step S627 where it is determined 
whether or not there is a new recording device 400 from which 
a — content can be retrieved. Without such a recording device 
400 , the process is ended —. — a**d — eOtherwise^ the process 
advances to step S62 8 to update the recording device 
identifier i and repeat step S621 and the subsequent 
authentication process steps. 

[0773] At step S623, programs that can be activated are 

detected from the content data stored in the recording devices 
400 (i) . Specifically, this is executed as a process of 
extracting contents- for which the content type contained in 
the usage policy of the content data indicates a program. 

[0774] At step S624, it is determined whether or not the 

contents- Jof which the content type is a programj_ have — has 
been extracted. If such contents has¥e been extracted, one of 
the extracted programs which has the top priority is selected 
at step S62.5-6-, and the selected program is executed at step 
S626. 

[0775] If it is determined at step S624 that no content Jof 

which the content type is a program^ has been extracted, the 
process proceeds to step S627 to determine whether or not 
there is a new recording device 400 from which a — content can 
be retrieved. Without such a recording device 400 , the process 
is ended 7 — a-nd . 0— otherwise, the process proceeds to step S628 
to update the recording device identifier i and repeat step 
S621 and the subsequent authentication process steps. 

[0776] Fig. 59 shows — a — process — flow — showing il lust rates an 

example of a process for a plurality of contents- that can be 
activated. At step S651, recording devices 400 that are 
accessible to the recording and reproducing device 300 are 
authenticated. For instance, an aAccessible DVD device, CD 
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drive, hard disc device, and game cartridge or the like are 
authenticated. Each recording device 400 is authenticated 
under the control of the control section 301 J^shown in Fig. 
2 7 — ) . This is done, for example, in accordance with the 
procedure previously explained in Fig. 20. 

[0777] Next, at step S652, programs that can be activated 

are detected from the content data stored in the memory of the 
successfully authenticated recording device 400 . Specifically, 
this is executed as a process of extracting contents- for which 
the content type ^contained in the usage policy of the content 
data_)_ indicates a program. 

[0778] Then at step S653, information J_such as the name of 

the program that can be activated and which has been extracted 
at step S652J_ is displayed on a display means. Although the 
display means is not shown in Fig. 2, AV output data are 
output to the display means (not shown) . User provided 
information^ such as a program name for each content data^ is 
stored in the content ID of the content data . This is done so 
that program information J_such as a program name for each 
authenticated content dataj_ is output to the output means via 
the control section 301 that is under the control of the main 
CPU 106 shown in Fig. 2. 

[0779] Then at step S654, the main CPU 106 receives the 

user' s program selection input from the input means . The input 
means can be — such — as- the input interface, controller, mouse, 
or keyboard shown in Fig. 2 . Input occurs via the interface 
110 7 — At and at step S655, executes the user selected program 
is executed in accordance with the selection input. 
[0780] As described above, in the data processing apparatus 
according to the present invention, the program activation 
priority is stored in the usage policy (which is in the header 
of the content data_)_ so that the recording and reproducing 
device 300 activates programs in accordance with this priority_ 
Alternatively, — $he- the display means can displays- activated 
program information from which the user can selects a desired 
program. This configuration eliminates the need for the user 
to retrieve programs^ to sav eing the amount of time and labor 
required for the activation. Additionally, the programs that 
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can be activated are activated after all the recording devices 
400 have been authenticated or are shown to be such programs 7 — ^ 

This thereby eliminating eliminates the compIicatcdncsG 

complexity of the process^ such as the need to validate a 
program after selection. 

(15) Content Configuring and Reproducing (Decompressing) 
Process 

[0781] In the data processing apparatus according to the 

present invention, the recording and reproducing device 300 
downloads a — content from the medium 500 or the communication 
means 600^ or reproduces data from the recording device 400, 
as described above. The above description focuses on the 
processing of encrypted data associated with the downloading 
or reproduction of ar— content. 

[0782] The control section 301 of the recording and 

reproducing device 300 in Fig. 3 generally controls the 
authentication, encryption, and decryption processes 
associated with the downloading or reproduction of content 
data from the device 500 such as — a — DVD which — provides — content 
data , the communication means 600, or the recording device. 
[0783] Reproducible contents resulting from these processes 

are, for example, sound data, e f — image data or the like. 
Decrypted data from the control section 301 is arc placed under 
the control of the main CPU J_shown in Fig. 2]_ and output to 
the AV output section^ depending on the sound or image data or 
like . If, however, — the content is, for example, sound data 
that have — has been MP3-compressed, an MP3 decoder in the AV 
output section J_shown in Fig. 2)_ decrypts and outputs the 
sound data. fei — addition, — 3r£If the content data ar^e — includes 
images that have been MPEG2-compressed, an MP2 decoder in the 
AV output section decompresses and outputs the image data. In 
this manner, the data contained in the content data may have 
or have not been compressed (encoded) . — aftd — a^e The data is 
output after being processed depending on the content. 
[0784] However, due to various types of compression and 

decompression process programs, even if the content provider 
provides compressed data, these this data cannot be reproduced 
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without a corresponding decompression process executing 
program. 

[0785] Thus, the present invention discloses a data 

processing apparatus wherein compressed data and a decryption 
(decompression) process program therefor are stored in a — data 
content . - ^Alternatively , link information for the compressed 
data and the decryption (decompression) process program 
therefor is stored as header information in the content data. 
[0786] Fig. 60 is a view obtained by simplifying elements 

from the general view of data processing shown in Fig. 2j_ 
which relate to th e preserit -i-s- configuration. The recording and 
reproducing device 300 receives various contents- from the 
device 500 _[such as a DVD or a CD_)_, the communication means 
600, or the recording device 400 j[such as a memory card^ which 
stores contcntG content) . Those — This contents- can include 
various data such as sound data, still images, animated image 
data, and program data which have — has or have — has not been 
encrypted or compressed. 

[0787] If the received content has been encrypted, the 

decryption process is executed using a method such as that 
described above and based on the control of the control 
section 301 and the cryptography process by tho of cryptography 
process section 302. The decrypted data arc is transferred to 
the AV process section 109 under the control of the CPU 106, 
where the data are stored in a memory 3090 of the AV process 
section 109. Then, a content analysis section 3091 analyzes 
the configuration of the content. If, for example, a data 
decompressing program is stored in the content, it is stored 
in a program storage section 3093. If, the content contains 
sound L or image data or the like, this cso data are stored in a 
data storage section 3092. A decompression process section 
3094 uses a decompression process program^ such as MP3 J_which 
is stored in the program storage section_)_, to decompress 
compressed data stored in the data storage section 3092. The 
data ar c is then output to speakers 3001 or a monitor 3002. 
[0788] Next, some examples of configurations of data 

received by the AV process section 109 Jvia the control 
section 301^_ and of relevant processes will be explained. Here, 
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sound data will be shown as an example of a — content 7 — a^d — a^ 
Ceontent with the MP3 applied thereto will be described as a 
representative compression program. This configuration, 

however, is applicable to image data as well as sound data^— 
and — f*e^ — only — t-he — MP3 — dccomprcgsion — process — program — b**t — also 
other Vvarious such programs for MPEG2 or MPEG4 can be applied 
thereto instead of MP3 . 

[0789] Fig. 61 shows an example of the configuration of a- 

content . This figure shows music sound data 6102 compressed by 
means of the MP3_^_ and a MP3 decryption (decompression) process 

program 6101^7 which Sound data 6102 and MP3 decryption 

process program 6101 are integrated together into one content 
block . Such contents blocks are each stored in the medium 500 
or the recording device 400^_ and are distributed from the 
communication means 600— as a single content block . If these 
content block s have been encrypted as previously described, 
the recording and reproducing device 300 uses the cryptography 
process section 303 to decrypt the content and then transfers 
it to the AV process section 109. 

[0790] The content analysis section 3091 of the AV process 

section 109 analyzes the received content, takes a sound data 
decompression program (MP3 decoder) section out from the 
content, comprising — a — sound — data — decompression — program — (MP 3 

decoder) section — and — a — comprco scd — sound — data — section, and 

stores it in the program storage section 3093 . The sound data 
decompression program comprises a sound data decompression 
program (MP3 decoder) section and a compressed sound data 
section . while — storing — feThe compressed sound data is stored 
in the data storage section 3092. The content analysis section 
3091 may receive information such as a content name or content 
configuration information in addition to the content— or it 
may analyze the content based on identification data such as a 
data name^ or other data such as a data length or a data 
configuration^ which are all contained in the content. Then, a 
compression and decompression process section 3094 
decompresses the MP3— compressed sound data stored in the data 
storage section 3092 in accordance with the sound data 
decompression program (MP3 decoder) J^stored in the program 
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storage section 3093J_. The AV process section 109 then outputs 
the decompressed sound data to the speakers 3001. 
[0791] Fig. 62 shows a — flow showing an example of a process 

for reproducing data of the content configuration in Fig. 61. 
At step S671, a data name stored in the memory 3090 of the AV 
process section 109— J_for example, information such as the 
title of music present if the content is sound dataj_ is taken 
out from the information received separately from the content^ 
or from data in the content, and is then displayed on the 
monitor 3002. At step S672, the user's selection is received 
from one of the various input means^ such as the switches and 

the keyboard via the input interface 110 J At aftd a 

reproduction process command^ based on user input data^ is 
then output to the AV process section 109 , which is under the 
control of the CPU 106. At step S673, the AV process section 
109 extract and decompress data selected by the user. 
[0792] Next, Fig. 63 shows an example of a configuration 
wherein a — the content contains either the — compressed sound 

data or the decompression process program_. It — and also 

contains content information indicating what the content 
contains, such as header information for each content. 
[0793] As shown in Fig. 63, if the content is a program 
6202, the content contains as header information 6201_^_ content 
identification information indicating that this is a program 
and that the type of program is to be MP3-decompressed . On the 
other hand, if sound data 6204 a^e — is contained as a — content, 
the content information in the header 6203 indicates that the 
data have has been MP3-compressed . This header information can 
be configured by selecting only information required for 
reproduction from the data contained in the usage policy (see 
Fig. 5)_^ This is done as shown in the abov e — above- described 
content data configuration — shown , for example, in Fig. and 
adding — fe-This information is added to the content transferred 
to the AV process section 109. Specifically, identification 
values for usage policy data^_ required for the cryptography 
process section 302 and for data required for the AV process 
section 109 during the reproduction process^ are added to each 
constituent data of the -^usage policy—^ shown in Fig. — a-nd 
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Oenly data indicating that these identification values are 
required for the AV process section 109 are extracted as 
header information . 

[0794] On receiving each content block shown in Fig. 63, 

the content analysis section 3091 of the AV process section 
109 stores, in accordance with the header information, a 
program content in the program storage section 3093_j_ if the 
content is a program . Otherwise, it stores the program content 
in the data storage section 3092 if the content is data. 
Thereafter, the compression and decompression section 3094 
takes the data out from the data storage section and 
decompresses them it in accordance with the MP3 program stored 
in the program storage section 3093 . This is done before 
outputting the decompressed data. If the program storage 
section 3093 has the same program already stored therein, the 
program storage process may be omitted. 

[0795] Fig. 64 shows an flow — showing — etn — example of a 

process for reproducing data of the content configuration in 
Fig. 63. At step S675, a data name stored — i-n — fcke — memory — 3090 
e£ — the — AV — process — section — 109, — #e-a? — example, — information — ouch 
as — trhe — title — of music present — i-f — t-he — content — i-s — sound data is 
taken out from the information received separately from the 
content or from the header in the content, and is then 
displayed on the monitor 3002. The data name, stored in the 
memory 3090 of the AV process section 109, is, for example, 
information such as the title of music (if the content is 
sound data) . At step S676, the user's selection is received 
from one of the various input means L such as the switches and 
the keyboard^ via the input interface 110. 

[0796] Then at step S677, a data reproducing program (for 

example, the MP3_^) corresponding to the user selection^ is 
retrieved. The maximum range of this program retrieval is 
preferably set as the possible access range of the recording 
and reproducing device 300 . -, — and f For example, the media 500, 
communication means 600, and recording device 400 shown in Fig 
60 are included in the retrieval range. 

[0797] The o Only t4=te — content passed to the AV process 

section 109 is the data section. T 7 — while t he program content 


- 208 - 


may be stored in another recording medium 500 in the recording 
and reproducing device 300 . Alternatively, the program content 
may be or provided by the content provider via the medium 500, 
such as a DVD or a CD. Accordingly, the retrieval range is set 
as the possible access range of the recording and reproducing 
device 300. When a reproduction program is found as a result 
of the retrieval, a reproduction process command^ based on the 
user input data_^_ is output to the AV process section 109 
Junder the control of the CPU 106_)_. At step S679, the AV 
process section 109 extracts and decompress data depending on 
the user's selection. In another embodiment, the program 
retrieval is executed before step S675_^ so that only the data 
in which the program has been detected are displayed at step 
S675. 

[0798] Next, Fig. 65 shows an example of a configuration 

wherein a — content contains compressed sound data 6303 and 
decompressed process program 6302^ and further contains a 
content reproduction priority as header information 6301 
therefor. This is an example of the above content 

configuration in Fig. 61 with the reproduction priority added 
thereto as header information. As in the above described 
section M (14) Program Activating Process Based on Activation 
Priority in Usage Policy in Content Data^/V the order of 
reproduction is determined based on a reproduction priority 
set among contents- received by the AV process section 109. 
[0799] Fig. 66 shows a — flow showing an example of a process 

for reproducing data of the content configuration in Fig. 65. 
At step S681, data stored in the memory 3090 of the AV process 
section 109— Jthat is, data information for data to be 
reproducedJ_ is set in a retrieval list. The retrieval list is 
set using some areas of the memory in the AV process section 
109. Then at step S682, the content analysis section 3091 of 
the AV process section 109 selects data of top priority . -, — a**d 
aAt step S683, it reproduces the selected data. 

[0800] Next, Fig. 67 shows an example of a configuration 

wherein e content comprises a combination of header 

information and program data 6402^_ or header information 6403 
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and compressed data 64 04^ and wherein A — a- reproduction 

priority is added only to the header 6403 of the data content. 
[0801] Fig. 68 shows a — flow — showing an example of a process 

for reproducing data of the content configuration in Fig. 67. 
At step S691, data stored in the memory 3090 of the AV process 
section 109— Jthat is, data information for data to be 
reproduced]_ is set in a retrieval list. The retrieval list is 
set using some areas of the memory in the AV process section 
109. Then at step S692, the content analysis section 3091 of 
the AV process section 109 selects data of top priority. 
[0802] Then at step S693, a data reproducing program (for 

example, the MP3)_^_ corresponding to the user selection^ is 
retrieved. As in the process in the flow in Fig. 64, the 
maximum range of this program retrieval is preferably set as 
the possible access range of the recording and reproducing 
device 300 . 7 — a**d — fFor example, the media 500, communication 
means 600, and recording device 400 J_shown in Fig. 60_)_ are 
included in the retrieval range. 

[0803] When a reproduction program is found as a result of 

the retrieval (Yes at step S694) , the selected data £nee — is 
decompressed and reproduced using the program obtained as a 
result of the retrieval. 

[0804] On the other hand, if no program is found as a 

result of the retrieval (¥es — No at step S694), the process 
proceeds to step S696^_ te — Step 696 deletes those — — the 
remaining data contained in the retrieval list J^set at step 
S691j_ that must be reproduced using the same program. This is 
because it is apparent that a new attempt to retrieve a 
reproduction program from thi_ese data fails. Furthermore, when 
it is determined whether or not the retrieval list is empty 
Und if the list is determined not to be empty_)_, the process 
returns to step S692 to extract data of the next highest 
priority to execute the program retrieving process. 
[0805] Thus, according to this configuration, if the 
compressed content is constructed with its decryption 
(decompression) program en? — comprises — only — data — obtained — by 
compressing — the — content — ene — only — the — do compress ion — process 
program, — since — art — he-s — the — header — information — indicating — what 
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compressed — data — feke — content — is — en? — what — process — fe-he — content 
executes , — the process section (for example, the AV process 
section) receiving the content uses the decompression process 
program attached to the compressed data in order to execute 
the decompression and reproduction process . Alternatively, the 

process section e^? retrieves the decompression and 

reproduction program based on the header information in the 
compressed data to execute the decompression and reproduction 
process in accordance with the program obtained as a result of 
the retrieval. The compressed data can also comprise only data 
obtained by compressing the content or only the decompression 
process program, since it has the header information 
indicating what compressed data the content is or what process 
the content executes. This eliminates the needs for processes 
executed by the user L such as the selection and retrieval of 
the data decompressing program^ to reduc e burd e ns — on the user, 
thereby enabling efficient data reproduction. Moreover, the 
configuration having — with the reproduction priority in the 
header enables the reproduction order to be automatically set 
to allow the user to omit the operation of setting the 
reproduction order . 

[0806] In the above described embodiments, the MP3 is taken 

as an example of a decompression process program - for 
compressed sound data contents- and sound compressed data 7 — 
bttt fe- T his configuration is also applicable to contents- 
containing compressed data L or a decompression process program 
for compressed image data^ and provides similar effects in 
this other case . 


(16) Generation of Save Data and Storage and Reproduction of 
the Same in and from Recording Device 

[0807] If, for example, the content executed in the 

recording and reproducing device 300 is a game program or the 
like and if the game program is to be resumed a predetermined 
period of time after suspension, the state of the game is 
saved a**d — fehe — like at the time of the suspension — a^e — saved, ^ 
T^rhat is, the state of the game is stored in the recording 
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device 400 so as to be read out on resumption^ ^te — enable 
enabling the game to be continued. 

[0808] In conventional recording and reproducing devices 

400 for game apparatuses, personal computers, or the like, a 
save data preservation configuration is provided with such a 
configuration . This a^s — to — preserves save data in a recording 
medium 500, such as a memory card, a floppy disk, a game 
cartridge, or a hard disk^_ which can be built into the 
recording and reproducing device 300 or externally attached 
thereto. In particular, however, these recording and 

reproducing devices 300 have no configuration for maintaining 
the security of the save data and carry out the save process 
using, for example, specifications common to a game 
application program. 

[0809] Thus, for example, save data saved using a recording 

and reproducing device A may be used or rewritten by another 
game program-; — However, little attention has been paid to the 
security of the save data. 

[0810] The data processing apparatus according to the 
present invention provides a configuration that can maintain 
the security of save data. For example, save data for a 
certain game program a^e — is encrypted based on information 
used only by this game program before being stored in the 
recording device 400 . Alternatively, the save data a^e — .is 
encrypted based on information unique to the recording and 
reproducing device 300 before being stored in the recording 
device 400 . These methods enables the usage of the save data 
to be limited to particular apparatuses or programs to 
maintain the security of the data. ^Generation of Save Data 
and Storage and Reproduction of the Same in and from Recording 
Device" in the present data processing apparatus will be 
explained below. 

[0811] Fig. 69 is a block diagram useful ±& 

c xplaining il lust rating a save data storage process in the 
present data processing apparatus. A e Content from the medium 
500^_ such as a DVD or CD^ or from the communication means 600_^ 
is provided to the recording and reproducing device 300. The 
provided content has been encrypted with the content key Kcon^ 
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Kcon.7 — which is a key unique to the content as described above^- 
and T ^he recording and reproducing device 300 obtains the 
content key in accordance with the process described in the 
above described section "(7) Process for Downloading from 
Recording and Reproducing Device to Recording device" (see Fig. 
22), to decrypt the encrypted content^ and then stores it in 
the recording device 400. The following description is 
directed to a process executed by the recording and 
reproducing device 300 to decrypt a content program from the 
medium 500 or the communication means 600 7 — It reproduces and 
executes this program, and then stores the obtained save data 
in one of the various recording devices 400A, 400B, and 400B 
J_such as external or built-in memory card and hard diskj_ for 

reproduction 7 — Or tre — it downloads a — content in the 

recording device 400A, reproduces and executes the content 
from the recording device 400A, and stores the resulting save 
data in a processing and recording device 400_^_ for storing the 
save data in any one of the various recording devices 400A, 
400B, and 400B J_such as external or built-in memory card and 
hard disk for reproduction and reproducing the save data_)_. 
[0812] The recording and reproducing device 300 has the 

recording and reproducing device identifier IDdev, the system 
signature key Ksys— J_which is a signature key shared 
throughout the system]_, the recording and reproducing device 
signature key Kdev T J_which is unique to individual recording 
and reproducing devices]_, and the master keys for generating 
various individual keys, as previously described- The master 
keys are used to generate, for example, the distribution key 
Kdis or the authentication key Kake, as described in detail in 
"(12) Configuration for Generating Cryptography Process Keys 
Based on Master Keys^"— Here, the type of the master key is 
not particularly limited^ but a key representing the master 
keys of the recording and reproducing device 300 is denoted by 
MKx. Fig. 69 shows an example of the cryptography key^_ Ksav L 
for save data in the lower part thereof of the figure . The save 
data cryptography key^_ Ksav^ is used for the encryption 
process executed to store save data in one of the various 
recording device 400A to C^ and for the decryption process 
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executed to reproduce these data therefrom. The processes for 
storing and reproducing save data will be explained with 
reference to Fig. 70 and subsequent figures. 

[0813] Fig. 70 is a flow chart of a process of storing save 
data in one of the recording device 400A to C using either the 
content unique key or the system common key. The process in 
each flow is executed by the recording and reproducing device 
300t — a**d . T —fehe recording device 400 storing the save data in 
each flow may be any of the external recording devices 400A to 

and but is not limited to a particular one. 
[0814] At step S701, the recording and reproducing device 
300 reads out the content ID, for example, the game ID. This 
ID is the data contained in the identification information in 
the content data shown in the previously described Figs. 4, 26, 
21, and 32 to 35. On receiving a command for storage of save 
data via the interface 110 J_shown in Fig. 2_)_, the main CPU 106 
commands the control section 301 to read the content ID. 
[0815] The control section 301 takes the identification 

information out from the header in the content data via the 
read section if the execution program is a— content from a DVD, 
a CD-ROM, or the like J_which is executed via the read section 
304_)_, or takes it out via the recording device controller 303 
J_if the execution program is a content stored in the recording 
device 400j_. If the recording and reproducing device 300 is 
executing the content program and the content ID has already 
been stored in a — RAM or another accessible recording medium in 
the recording and reproducing device 300 , the identification 
information contained in the loaded data may be used without 
executing a new read process. 

[0816] Then at step S702, the process is changed depending 

on whether or not the program is to be localized. The program 
localization is used to set whether or not a limitation is 
added which — that allows save data to be used only by this 
program-? — T^ to allow the save data to be used only by this 
program, "Program Localization" is set to "Yes/S — and : — tTo 
prevent the usage of the data from being limited to this 
program, "Program Localization" is set to "No^"— This may be 
arbitrarily set by the user or may be set and stored in the 
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content program by the content producer . T 7 a^d — t-he set 

localization is stored in one of the recording devices 400A to 
C J_of Fig. 69)_ as a data managing file. 

[0817] Fig. 71 shows an example of the data managing file. 

The data managing file is generated as a table . The table 
containing — contains entries including data numbers, content 
IDs, recording and reproducing device IDs, and program 
localization. The content ID is identification data for a 

content program for which save data arc is saved. The 

recording and reproducing device ID indicates a recording and 
reproducing device 300 that has stored the save data^ — a-ftd Aan 
example thereof is [IDdev]^ shown in Fig. 69. The program 
localization is set to "Yes" in order to allow the save data 
to be used only by this program^ or to "No" in order to 
prevent the usage of the data from being limited to this 
program. The program localization may be arbitrarily set by 
the user using the content program^ or may be set and stored 
in the content program by the content producer. 

[0818] Referring back to Fig. 70, tke flow will be 

continuously explained . — I- if the program localization is set to 
"Yes" at step S702, the process proceeds to step S703. At step 
.703, the key unique to the content, for example, the content 
key Kcon L is read out from the content data and used as the 
save data cryptography key Ksav^ — Otherwise, the save data 
cryptography key_^_ Ksav^ is generated based on the content 
unique key. 

[0819] On the other hand, if the program localization is 

set to "No" at step S702, the process proceeds to step S707. 
At step 7 07, the system common key stored in the recording and 
reproducing device 300— if or example, the system signature 
key) , Ksys is read out from the internal memory 307 of the 
recording and reproducing device 300 and is used as the save 
data cryptography key Ksav -. Otherwise, — e-ae the save data 
cryptography key_/_ Ksav L is generated based on the system 
signature key Ksys. Alternatively, a cryptography key 

different from the other keys J_which haves- been separately 
saved to the internal memory 307 of the recording and 
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reproducing device 300J_ may be used as the save data 
cryptography key Ksav. 

[0820] Then at step S704, the save data cryptography Ksav 
selected or generated at step S703 or 3707^ is used to execute 
a process for encrypting save data. This encryption process is 
executed by the cryptography process section 302 e# (see Fig. 
2)_ by applying, for example, the above described DES algorithm 

[0821] The save data encrypted at step S704 a^e — is stored 
in the recording device at step S705. If there are a plurality 
of recording devices 400 that can store save data— J^as shown 
in Fig. 69_)_, the user selects in — advance — one of the recording 
devices 400A to C in advance as a save data storage 
destination. Further, at step S706, the program localization 
set at step S7 02- J_that is, "Yes" or "No" for the program 
localization^ is written to the data managing file described 
with reference to Fig. 71. 

[0822] The process for storing the save data is thus 
completed. At step S702, save data for which "Yes" is selected 
for the program localization at step S702_^_ and which are 
encrypted at step S703 with the save data encryption key Ksav 
J_generated based on the content unique key|_ a^e — is prevented 
from being decrypted by content programs having no content 
unique key information . 7 — so that Thus, these save data can be 
used only by content programs having the same content key 
information. In this case, however, the save data encryption 
key Ksav is not generated based on information unique to the 
recording and reproducing device 300 , so that save data stored 
in a removable recording device 400 ( such as a memory cardj_ 
can be reproduced even from a different recording and 
reproducing device 300, as long as they are used together with 
a corresponding content program. 

[0823] Additionally, save data for which "No" is selected 
for the program localization at step S702 J^and which are 
encrypted at step S707 with the save data encryption key Ksav)_ 
based — en — the — system — common — key — can be reproduced and used_^_ 
even if a program with a different content identifier is used_^_ 
or if a different recording and reproducing device 300 is used 
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[0824] Fig. 72 shows — a — flow — showing il lust rates a process 

for reproducing save data stored by means of the save data 
storage process in Fig. 20. 

[0825] At step S711, the recording and reproducing device 
300 reads out the content ID, for example, the game ID. This 
is a process similar to step S701 o£ — the — previously described 
in Fig. 7 0^ and which reads out data contained in the 
identification information in of the content data. 
[0826] Then at step S712, the data managing file ^described 

with reference to Fig. is read out from one of the 

recording devices 400A to C J^shown in Fig. 69 7 — ) . e-R-d the The 
content ID J_read out at step S711_)_ and correspondingly set 
program localization are extracted therefrom. In step S713, 
i-tf the data managing file has the program localization set to 
"Yes/ the process proceeds to step S714 7 — whereas — I 4?f the 
data managing file has the program localization set to "No/'— 
the process advances to step S717. 

[0827] At step S714, the key unique to the content— J^for 

example, the content key Kcon_)_ is read out from the content 
data and is used as the save data decryption key Ksav-? — P er, 
the save data decryption key Ksav is generated based on the 
content unique key. This decryption key generating process 
uses a process algorithm corresponding to the encryption key 
generating process 7 — Tt rhat is, a decryption key generating 
algorithm that enables data encrypted based on a certain 
content unique key to be decrypted with a decryption key 
generated based on the same content unique key. 

[0828] On the other hand, if it is determined at step S712 
S713 that the data managing file has the program localization 
set to "No/V then at step S717, the system common key J_stored 
in the recording and reproducing device 300J_, for example, — the 
system signature key Kays is read out from the internal memory 
307 of the recording and reproducing device 300 and is used as 
the save data decryption key Ksav 7 — Pe r; the save data 
decryption key Ksav is generated based on the system signature 
key Ksys . Alternatively, a cryptography key different from the 
other keys which — hao that .have been separately saved to the 
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internal memory 307 of the recording and reproducing device 
300 may be used as the save data cryptography key Ksav. 
[0829] Then at step S715, the save data decryption key Ksav^ 
selected or generated at step S714 or S717^_ is used to execute 
a process for decrypting save data^_ 7 — a**d Aet step S716, the 
decrypted save data a^e — is reproduced and executed in the 
recording and reproducing device 300. 

[0830] The save data reproduction process is thus completed. 
As described above, the save data decryption key is generated 
based on the content unique key if the data managing file has 
the program localization set to "Yes^'V while — otherwise, the 
save data decryption key is generated based on the system 
common key if the data managing file has the program 
localization set to "No_-_"— If the program localization is set 
to "Yes_£_"— a decryption key cannot decrypt the save data 
without the same content ID for the content, thereby enabling 
the security of the save data to be improved. 

[0831] Figs. 73 and 74 show save data storage and 

reproduction flows, respectively, that generate save data 
encryption and decryption keys using the content ID. 
[0832] In Fig. 73, steps S721 to S722 are similar to steps 

S701 and S702 in Fig. 70, so description thereof is omitted. 

[0833] Th-e — save — data — storage — flow — i-R — Fig. 73, j-#lf the 

program localization is set to "Yes" at step S722, then at 
step S723, the content ID is read out from the content data 
and is used as the save data decryption key Ksav, or the save 
data decryption key Ksav is generated based on the content ID. 
For example, the cryptography process section 307 of the 
recording and reproducing device 300 can apply the master key 
MKx ^stored in the internal memory of the recording and 
reproducing device 300)_, to the content ID read out from the 

content data 7 _. This is done to obtain the save data 

decryption key Ksav that is based, for example, on the DES 
(MKx, content ID) . Alternatively, a cryptography key different 
from the other keys J_which — have been separately saved to 
the internal memory 307 of the recording and reproducing 
device 300J_ may be used as the save data decryption key Ksav. 
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[0834] On the other hand, if the program localization is 
set to "No" at step SI 22, then at step S727, the system common 
key stored in the recording and reproducing device 3OO7- J^for 
example, the system signature key Ksys_)_ is read out from the 
content data and is used as the save data encryption key Ksav, 
or the save data encryption key Ksav is generated based on the 
system signature key. Alternatively, a cryptography key 
different from the other keys J^which teets — have been separately 
saved to the internal memory 307 of the recording and 
reproducing device 300|_ may be used as the save data 
decryption key Ksav. 

[0835] The processing at step S724 and the subsequent steps 
is similar to that at step S704 and the subsequent steps in 

the process flow in the above described Fig. 70, and 

description thereof is thus omitted. 

[0836] Furth e r, Fig. 74 shows a process flow for 

reproducing and executing save data stored in the recording 
device 400 during the save data storage process flow in Fig. 
73t — and s Steps S731 to S733 are similar to the corresponding 
processing in the above- — described Fig. 72_^ except for step 
S734. At step 734, the content ID is read out from the content 
data and is used as the save data decryption key Ksav, or the 
save data decryption key_^_ Ksav is generated based on the 
content ID. This decryption key generating process uses a 
process algorithm corresponding to the encryption key 
generating process 7 — T- fehat is, a decryption key generating 
algorithm that enables data encrypted based on a certain 
content ID to be decrypted with a decryption key generated 
based on the same content ID. 

[0837] The subsequent processing, steps S735, S736, and 

S737 are similar to the corresponding processing in Fig. 72, 
and description thereof is thus omitted. According to the save 
data storage and reproduction processes in Figs. 73 and 74, if 
the program localization is set to "Yes^_"— the content ID is 
used to generate the save data encryption and decryption keys, 
so that as in the above save data storage and reproduction 
processes using the content unique key, save data cannot be 
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obtained without matching the corresponding content program, 
thereby enabling save data to be saved more securely. 
[0838] Figs. 75 and 77 show save data storage (Fig. 75) and 

reproduction (Fig. 77) flows, respectively, that generate save 
data encryption and decryption keys using the recording and 
reproducing device unique key. 

[0839] In Fig. 75, step S741 is similar to step S701 in Fig. 

70, so description thereof is omitted. At step S742, 
localization is or is not set for the recording and 
reproducing device 300 . In the case of localizing a 
particular recording and reproducing device 300 capable of 
utilizing the save data, a recording and reproducing device 
localization, that is, — allows the save data to be used only by 
th e — recording — and — reproducing — device — that — ha-s — generated — and 

stored fehe data, the recording aftd reproducing device 

localization is set to ' x Yes/' 7 — attd: That is, the save data is 
allowed to be used only by the recording and reproducing 
device that has generated and stored the data. T ^o allow other 
recording and reproducing device to use the save data, the 
recording and reproducing device localization is set to "No^"— 
If the recording and reproducing device localization is set to 
"Yes" at step S742, the process proceeds to step S743, and if 
this localization is set to w No L " r the process proceeds to 
step S747. 

[0840] An example of the data managing file is shown in Fig. 
76. The data managing file is generated as a table . The table 
containing — contains entries including data numbers, content 
IDs, recording and reproducing device IDs, and recording and 
reproducing device localization. The content ID is 

identification data for a content program for which save data 
isa^e saved. The recording and reproducing device ID indicates 
a recording and reproducing device 300 that has stored the 
save data . — and a An example thereof is [IDdev],_ shown in Fig. 
69. The recording and reproducing device localization is set 
to "Yes" in order to limit the usage of the save data to a 
particular recording and reproducing device 300 . 7 — feThat is, 
allow — the save data is allowed to be used only by the 
recording and reproducing device that has generated and stored 
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the data 7 — Recording and reproducing device localization is 
set Q 3r to "No 7 ' in order to allow other recording and 
reproducing devices 300 to use the save data. The recording 
and reproducing device localization may be arbitrarily set by 
the user using the content program^ or may be set and stored 
in the content program by the content producer. 

[0841] In the save data storage process flow in Fig. 75, if 

the recording and reproducing device localization is set to 
"Yes" at step S742, the recording and reproducing device 
unique key-r J_for example, the recording and reproducing device 
signature key_^ KdevJ_ is read out from the internal memory 307 
of the recording and reproducing device 300 data_^ and is used 
as the save data encryption key_^_ Ksav, or the save data 
encryption key Ksav is generated based on the recording and 
reproducing device signature key Kdev. Alternatively, a 
cryptography key_^_ different from the other keys which has been 
separately saved to the internal memory 307 of the recording 
and reproducing device 300_^ may be used as the save data 
decryption key Ksav. 

[0842] On the other hand, if the recording and reproducing 
device localization is set to "No" at step S742, then at step 
S747— the system common key ^stored in the recording and 
reproducing device 3 0 0 — - — for example, the system signature 
key KsysJ_ is read out from internal memory 307 of the 
recording and reproducing device 300 and used as the save data 
encryption key Ksav, or the save data encryption key Ksav is 
generated based on the system signature key. Alternatively, a 
cryptography key^_ different from the other keys which has been 
separately saved to the internal memory 307 of the recording 
and reproducing device 300^ may be used as the save data 
decryption key Ksav. 

[0843] The processing at steps S744 and S745 is similar to 

the corresponding processing in the process flow in the — above 
described Fig. 72, and description thereof is thus omitted. 
[0844] At step S746, the content ID, the recording and 

reproducing device ID, and the recording and reproducing 
device localization "Yes/No" _[set by the user at step S742]_ 
are written to the data managing file (see Fig. 76). 
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[0845] Furthermore, Fig. 77 shows a process flow for 

reproducing and executing save data stored in the recording 
device 400 during the save data storage process flow in Fig. 
75. At step S751, the content ID is read out as in the 
corresponding processing in the above described in relation to 
Fig. 72. Then at step S752, the recording and reproducing 
device ID (IDdev)^ stored in the memory of the recording and 
reproducing device 300^ is read out. 

[0846] At step S753, the content ID, the recording and 
reproducing device ID, and the set recording and reproducing 
device localization ^Yes/No" are read out from the data 
managing file (see Fig. 76). If any entry in the data managing 
file J_which has the same content ID_)_ has the recording and 
reproducing device localization set to u Yes/V the process is 
ended if the table entry has a recording and reproducing 
device ID different from that read out at step S752. 

[0847] Next, if it is determined at step S754 that the data 

managing file has the recording and reproducing device 
localization set to w Yes L 'V the process proceeds to step 
S755 7 — If whcrcas — *■# the data managing file has the recording 
and reproducing device localization set to "No^"- the process 
proceeds to step S758. 

[0848] At step S755, the recording and reproducing device 
unique key™ J_for example, the recording and reproducing device 
signature key Kdev)_ is read out from the internal memory 307 
of the recording and reproducing device 300 data and is used 
as the save data decryption key Ksav^- — fe Or, t he save data 
encryption key Ksav is generated based on the recording and 
reproducing device signature key Kdev. This decryption key 
generating process uses a process algorithm corresponding to 

the encryption key generating process 7 _. Tthat is, a 

decryption key generating algorithm is used that enables data 
encrypted based on a certain recording and reproducing device 
unique key to be decrypted with a decryption key (that was 
generated based on the same recording and reproducing device 
unique key_)_. Alternatively, a cryptography key_^_ different from 
the other keys_^ which has been separately saved to the 
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internal memory 307 of the recording and reproducing device 
300, may be used as the save data decryption key Ksav. 
[0849] On the other hand, at step S758, the system common 
key stored in the recording and reproducing device 300— J_for 
example, the system signature key Ksysj_ is read out from 
internal memory 307 of the recording and reproducing device 
300 and used as the save data decryption key Ksav 7 — P er, the 
save data decryption key Ksav is generated based on the system 
signature key. Alternatively, a cryptography key different 
from the other keys J^which has been separately saved to the 
internal memory 307 of the recording and reproducing device 
300J^ may be used as the save data decryption key Ksav. The 
processing at the subsequent steps S756 and 757 are similar to 
that at the corresponding steps in the above described save 
data reproduction process flow. 

[0850] According to the save data storage and reproduction 
process flows shown in Figs. 75 and 77, save data for which 
the recording and reproducing device localization is set to 
"Yes" a-^e — is encrypted and decrypted using the recording and 
reproducing device unique key. These — This save data can thus 
be decrypted and used only by the recording and reproducing 
device 300 having the same recording and reproducing device 
unique key, that — i-s -i . e . , the same recording and reproducing 
device 300 . 

[0851] Next, Figs. 78 and 79 show process flows for 
generating encryption and decryption keys for save data using 
the recording and reproducing device ID and storing and 
reproducing the save data. 

[0852] In Fig. 78, the recording and reproducing device ID 

is used to encrypt and store save data in the recording device 
400 . Steps S761 to S763 are similar to those in the above Fig. 
75. At step S764, the recording and reproducing device ID 
(IDdev)_j_ read out from the recording and reproducing device^ 
is used to generate the save data encryption key Ksav. The 
save data encryption key Ksav is obtained based on the Iddev^ 
This is done by , for example, applying the IDdev as the save 
data encryption key Ksav L or applying the master key MKx 
(stored in the internal memory of * the recording and 
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reproducing device 300_)_ to obtain the save data encryption key 
Ksav based on the DES (MKx , IDdev) . Alternatively, a 
cryptography key different from the other keys which ha-s — have 
been separately saved to the internal memory 307 of the 
recording and reproducing device 300^ may be used as the save 
data decryption key Ksav. 

[0853] The subsequent process steps S765 to S768 are 

similar to the corresponding processing in the above described 
Fig. 75, so description thereof is omitted. 

[0854] Fig. 79 shows a process flow for reproducing and 

executing the save data stored in the recording device 4 00 by 
means of the process in Fig. 78. Steps S771 to S774 are 
similar to the corresponding processing in the — above — described 
Fig. 77. 

[0855] At step S775, the recording and reproducing device 
ID (Iddev)^ read out from the recording and reproducing device^ 
is used to generate the save data decryption key Ksav. The 
save data encryption key Ksav is obtained based on the Iddev^ 
This is performed by, for example, applying the IDdev as this 
key Ksav L or applying the master key MKx Jstored in the 
internal memory of the recording and reproducing device 300j_ 
to obtain this key Ksav based on the DES (MKx, IDdev) . This 
decryption key generating process uses a process algorithm 

corresponding to the encryption key generating process 7 _,_ 

Tthat is, a decryption key generating algorithm that enables 
data encrypted based on a certain recording and reproducing 
device unique key to be decrypted with a decryption key 
generated based, on the same recording and reproducing device 
unique key. Alternatively, a cryptography key_^ different from 
the other keys which has been separately saved to the internal 
memory 307 of the recording and reproducing device 300^ may be 
used as the save data decryption key Ksav. 

[0856] The subsequent process steps S776 to S778 are 

similar to the corresponding processing in the above described 
Fig. 76. 

[0857] According to the save data storage and reproduction 
process flows shown in Figs. 78 and 79, save data for which 
the recording and reproducing device localization is set to 
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"Yes" a^e — is encrypted and decrypted using the recording and 
reproducing device unique key. Those — This save data can thus 
be decrypted and used only by the recording and reproducing 
device 300 having the same recording and reproducing device 
unique key, that is, the same recording and reproducing device 
300 . 

[0858] Next, save data storage and reproduction processes 
of executing both the above described program localization and 
recording and reproducing device localization will be 
explained with reference to Figs. 80 to 82. 

[0859] Fig. 80 shows a save data storage process flow. At 

step S781, the content ID is read out from the content data, 
at step S782, it is determined whether the program 
localization is set, and at step S783, it is determined 
whether the recording and reproducing device localization is 
set . 

[0860] If both the program localization and the recording 

and reproducing device localization are set to "Yes", then at 
step S785-r the save data encryption key Ksav is generated 
based on both the content unique key (ex. Kcon) and the 
recording and reproducing device unique key (Kdev) . The save 
data encryption key is obtained, for example, based on Ksav = 
(Kcon XOR Kdev) or by applying the master key MKx jstored in 
the internal memory of the recording and reproducing device 
300J_ to obtain this key based on Ksave = DES (MKx, Kcon XOR 
Kdev) . Alternatively, a cryptography key_^_ different from the 

other keys which ha-s have been separately saved to the 

internal memory 307 of the recording and reproducing device 
300_^_ may be used as the save data decryption key Ksav. 
[0861] If the program localization is set to "Yes" while 

the recording and reproducing device localization is set to 
w No L 'V then at step S786, the content unique key (ex. Kcon) is 
used as the save data encryption key Ksav 7 — or Or, the save 
data encryption key Ksav is generated based on the content 
unique key (ex. Kcon). 

[0862] If the program localization is set to "No" while the 

recording and reproducing device localization is set to "Yes^/V 
then at step S787, the recording and reproducing device unique 
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key (Kdev) is used as the save data encryption key Ksav 7 — P er, 
the save data encryption key Ksav is generated based on the 
recording and reproducing device unique key (Kdev) . 
Alternatively, a cryptography key_^ different from the other 
keys _£which h^s — have been separately saved to the internal 
memory 307 of the recording and reproducing device 300J_j_ may 
be used as the save data decryption key Ksav. 

[0863] Further, if both the program localization and the 

recording and reproducing device localization are set to w No/V 
then at step S787, the system common key— J_for example, the 
system signature key KsysJ_ is used as the save data encryption 
key KsavT — e-g — Or, the save data encryption key Ksav is 
generated based on the system signature key Ksys. 
Alternatively, a cryptography key^ different from the other 
keys J_which has been separately saved to the internal memory 
307 of the recording and reproducing device 300]_j_ may be used 
as the save data decryption key Ksav. 

[0864] At step S789, the save data encryption key Ksav 
generated at one of the steps S785 to S788 A is used to encrypt 
the save data, which a^e — is then stored in the recording 
device 400 . 

[0865] Furthermore, at step S790, the localization j[set at 

steps S782 and S783_)_ is stored in the data managing file. The 
data managing file is configured, for example, as shown in Fig. 
81_^ and contains entries including data numbers, content IDs, 
recording and reproducing device IDs, program localization, 
and recording and reproducing device localization. 

[0866] Fig. 82A and 8-2* shows a process flow for 

reproducing and executing the save data stored in the 
recording device 400 by means of the process in Fig. 80. At 
step S791, the content ID and the recording and reproducing 
device ID are read out from the execution program? — A and a t 
step S792, the content ID, the recording and reproducing 
device ID, the program localization, and the recording and 
reproducing device localization are read out from the data 
managing file shown in Fig. 81. In this case, if the program 
localization is set to "Yes" and the content IDs are not the 
same^ or if the recording and reproducing device localization 
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is set to "Yes" and the recording and reproducing device IDs 
are not the same, the process is ended. 

[0867] Then at steps S793, S794, and S795, the decryption 

key generating process is set to one of the four manners at 
steps 796 to S799 in accordance with the data recorded in the 
data managing file. 

[0868] If both the program localization and the recording 

and reproducing device localization are set to "Yes^'V then at 
step S796, the save data encryption key Ksav is generated 
based on both the content unique key (ex. Kcon) and the 
recording and reproducing device unique key (Kdev) . 
Alternatively, a cryptography key different from the other 
keys Jwhich h-a-s — have been separately saved to the internal 
memory 307 of the recording and reproducing device 300J_ may be 
used as the save data decryption key Ksav. If the program 
localization is set to "Yes" while the recording and 
reproducing device localization is set to "No^'V then at step 
SI 91, the content unique key (ex. Kcon) is used as the save 
data encryption key Ksav^ — Or, the save data encryption key 
Ksav is generated based on the content unique key (ex. Kcon). 
Alternatively, a cryptography key different from the other 
keys _(which ha-s — have been separately saved to the internal 
memory 307 of the recording and reproducing device 300_)_ may be 
used as the save data decryption key Ksav. 

[0869] If the program localization is set to "No" while the 

recording and reproducing device localization is set to "Yes/V 
then at step S7 98, the recording and reproducing device unique 
key (Kdev) is used as the save data encryption key Ksav 7 — ^ 
Or fJ SHE- the save data encryption key Ksav is generated based on 
the recording and reproducing device unique key (Kdev) . 
Alternatively, a cryptography key different from the other 
keys J_which &ets — have been separately saved to the internal 
memory 307 of the recording and reproducing device 300_)_ may be 
used as the save data decryption key Ksav. Further, if both 
the program localization and the recording and reproducing 
device localization are set to "No L 'V then at step S799, the 
system common key— J^for example, the system signature key 
KsysJ_ is used as the save data encryption key Ksav 7 — Pe r, the 
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save data encryption key Ksav is generated based on the system 
signature key Ksys . Alternatively, a cryptography key 

different from the other keys J_which has — have been separately 
saved to the internal memory 307 of the recording and 
reproducing device 300J_ may be used as the save data 
decryption key Ksav. 

[0870] These decryption key generating processes uses a 

process algorithm corresponding to the encryption key 
generating process—^ T^hat is, a decryption key generating 
algorithm that enables data encrypted based on the same 
content unique key and recording and reproducing device unique 
key to be decrypted with a decryption key generated based on 
the same content unique key and recording and reproducing 
device unique key. 

[0871] At step S800, the save data encryption key Ksav^ 
generated at one of the steps S796 to S799_^_ is used to execute 

the decryption process™^ and — tThe decrypted save data are 

reproduced and executed in the recording and reproducing 
device 300 . 

[0872] According to the save data storage and reproduction 
process flows shown in Figs. 80 and 82, save data for which 

"Yes" is selected for the program localization a-^e i_s 

encrypted and decrypted with the content unique key T . so that 
these This save data can be decrypted and used only if content 

data having the same content unique key a^e is used. 

Additionally, save data for which "Yes" is selected for the 
recording and reproducing device localization arc is encrypted 
and decrypted with the recording and reproducing device ID 7 — &e 
that — these . This save data can be decrypted and used only by 
the recording and reproducing device having the same recording 
and reproducing device ID, that is, the same recording and 
reproducing device. Consequently, both the content and the 
recording and reproducing device can set the localization to 
further improve the security of the save data. 

[0873] Although Figs. 80 and 82 show the configuration for 
generating the save data encryption key and the decryption key 
using the content unique key and the recording and reproducing 
device unique key, the content ID and the recording and 
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reproducing device ID may be used instead of the content 
unique key and the recording and reproducing device unique key, 
respectively, to generate the save data encryption key and the 
decryption key based on these IDs. 

[0874] Next, a configuration for generating a*i — encryption 
and e decryption keys^_ based on a password input by the user L 
will be described with reference to Figs. 83 to 85. 

[0875] Fig. 83 shows a process flow for generating a save 

data encryption key based on a password input by the user and 
storing save data in the recording device. 

[0876] At step S821, the content ID is read out from the 
content data as in each of the above described processes. At 
step S822, the user determines whether to set the program 
localization. The data managing file set in this configuration 
has, for example, the configuration shown in Fig. 84. 

[0877] As shown in Fig. 84, the data contains data numbers, 
content IDs, recording and reproducing device IDs, and user 
set program localization. The "user set program localization" 
is an entry that determines whether or not the usage of the 
program is limited to a particular user. 

[0878] If the localization is set to "Yes" at step S822 in 

the process flow in Fig. 83, then at step S823, the user's 
password is input. The password is input from an input means 
such as the keyboard shown in Fig. 2. 

[0879] The input password is output to the cryptography 
process section 302 J_under the control of the main CPU 106 and 
the control section 301J_~ and the processing at step S824 is 
executed 7 — T^ hat is, the save data encryption key Ksav is 
generated based on the input user password. The save data 
encryption key Ksav may be generated by, for example, setting 
the password itself as this key Ksav or using the master key 
MKx of the recording and reproducing device to generate this 
key Ksav based on the save data encryption key Ksav = DES (MKx, 
password) . Alternatively, a unidirectional function may be 
applied^ using the password as an input^_ so that an encryption 
key can be generated based on an output from the function. 
[0880] If the user localization is set to "No" at step S822, 

then at step S828, a save data encryption key is generated 
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based on the system common key of the recording and 
reproducing device 300. 

[0881] Further, at step S825, the save data encryption key 

Ksav Jgenerated at step S824 or S828J_ is used to encrypt the 
save data, and at step S826, the encrypted save data a-aee — i^s 
stored in the recording device 400 . 

[0882] Furthermore, — aAt step S827, the program localization 
set by the user at step S822 is written to the data managing 
file in Fig. 84_^ so. as to be associated with the content ID 
and the recording and reproducing device ID. 

[0883] Fig. 85 i-s — a — view — showing — a — flow — & #illustrates a 

process for reproducing the save data stored by means of the 
process in Fig. 83. At step S831, the content ID is read out 
from the content data —, and a At step S832, the content ID and 
the program localization set by the user are read out from the 
data managing file shown in Fig. 84. 

[0884] At step S833, determination is made based on the 
data in the data managing file. If "the user set program 
localization" is set to "Yes^"- then at step S834™ the user is 
prompted to input a password —. — aftdThen at step S835, a 
decryption key is generated based on the input password. This 
decryption key generating process uses a process algorithm 

corresponding to the encryption key generating process-? 

T^hat is, a decryption key generating algorithm is used that 
enables data encrypted based on a certain password to be 
decrypted with a decryption key generated based on the same 
password . 

[0885] If it is determined at step S833 that the program 

localization by the user is set to M No^"— then at step S837— 
the system common key stored in the internal memory of the 
recording and reproducing device 300 is used to generate the 
save data decryption key Ksav by using the system signature 
key Ksys. Alternatively, an encryption key_^ different from the 

other keys which ha-s have been separately saved to the 

internal memory 307 of the recording and reproducing device 
300^_ may be used as the save data encryption key Ksav. 
[0886] At step S836, the decryption key Ksav ^generated at 
step S835 or S837j_ is used to decrypt the save data stored in 
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the recording device—. and — aAt step S-8-3-6 S8 38 , the recording 
and reproducing device 300 reproduces and executes the save 
data . 

[0887] According to the save data storage and reproduction 
process flows shown in Figs. 83 and 85, save data for which 
"Yes" is selected for "the user set program localization" a-aee 
is encrypted and decrypted with the key based on the user 
input password 7 — This is done so that those — this save data 
can be decrypted and used only if the same password is input, 
thereby improving the security of the save data. 

[0888] The several aspects of the save data storage and 
reproduction processes have been described, but it is also 
possible to implement a process obtained by merging the above 
described processes togetherT — F# or example, an aspect of 
generating save data encryption and decryption keys may be 
performed using an arbitrary combination of the password, the 
recording and reproducing device ID, the content ID, and 
other s information . 

(17) Configuration for Excluding (Revoking) Invalid Apparatuses 
[0889] As described above, the data processing apparatus 
according to the present invention improves the security of 
provided contents and allow such contents to be used only by 

valid users 7 It uses ing the configuration wherein the 

recording and reproducing device 300 executes processes such 
as authentication and encryption on various content data 
provided by the medium 500 (see Fig. 3 ) j_ or the communication 
means 600_^_ and then stores the data in the recording device 
400 . 

[0890] As understood from the above description, the input 
content is authenticated, encrypted, and decrypted using the 
various signature keys, master keys, and integrity-check- 
value-generating keys (see Fig. 18) that are stored in the 
internal memory 307 (which is configured in the cryptography 
process section 302 of the recording and reproducing device 
300_)_. The internal memory 307 storing the key information is 
desirably characterized to restrain external illegal reads^ 
4rFt — that — 3HtIt comprises a semiconductor chip that essentially 
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rejects external accesses and has a multilayer structure, an 
internal memory sandwiched between dummy layers of aluminum or 
the like or arranged in the lowest layer, and a narrow range 
of operating voltages and/or frequencies. If, however, the-&e 
key data or the like should be read out from the internal 
memory 307 and copied to an unauthorized recording and 
reproducing device 300 , the copied key information may be used 
for invalid usage of the content. 

[0891] A configuration for preventing the invalid use of a 
content^ based on invalid copying of a key^_ will be described 
below. 

[0892] Fig. 86 is a block diagram uocful 3rft 

cxplaining il lust rating "(17) Configuration for Excluding 
Invalid Apparatuses^'V which corresponds to this configuration. 
The recording and reproducing device 300 is similar to the 

recording and reproducing device 300 shown in £4*e above 

described — Figs . 2 and 3 . It — has an internal memory^ and 
the previously described various key data (Fig. 18) and 
recording and reproducing device ID. Here, the recording and 
reproducing device ID, the key data, or the like_^_ copied by a 
third person^ is not necessarily stored in the internal memory 
307-r^ — fettt — t T he key data or the like in the recording and 
reproducing device 300 shown in Fig. 8 6 are collectively or 
distributively stored in a memory section accessible to the 
cryptography process section 302 (see Figs.__-2 and 3). 
[0893] To implement the configuration for excluding invalid 
apparatuses, a list of invalid recording and reproducing 
device IDs is stored in the header section of the content data. 
As shown in Fig. 86, the content data holds a list — e# 
revocation list as the list of invalid recording and 
reproducing device IDs (IDdev) . Further, a list integrity 
check value ICVrev is used to check the revocation list for 
tamper ing . The list of invalid recording and reproducing 
device IDs (IDdev) contains the identifiers IDvcv — IDdev of 
invalid recording and reproducing devices 300, determined by 
the content provider or manager^ based on the state of 
distribution of invalid copies or the like. The revocation 
list may be encrypted with the distribution key Kdis before 
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being stored. The decryption process executed by the recording 
and reproducing device 300 is similar to, for example, that in 
the content download process in the — above Fig. 22. 
[0894] Here, for better understanding^ the revocation list 
is shown as single data in the content data L — if* — Fig . — 8-6 but 
may be contained, for example, in the previously described 
usage policy (for example, see Figs. 32 to 35), which is a 
component of the header section of the content data. In this 
case, the previously described integrity check value ICVa is 
used to check the usage policy data containing the revocation 
list for tamper ing . If the revocation list is contained in the 
usage policy, the integrity check value A-s-^ ICVa^_ is used for 
the cheeky and the integrity-check-value-A-generating key^_ 
Kicva — Kicva, in the recording and reproducing device 300 is 
used, thereby eliminating the need to store the integrity- 
check-value-gene rating key Kiev- rev . 

[0895] If the revocation list is contained in the content 

data as independent data, the revocation list is checked using 
the list integrity check value ICVrev J_for checking the 
revocation list for tamper ing) , and an intermediate integrity 
check value is generated from the list integrity check value 
ICVrev and another partial integrity check value in the 
content data_^_ and is used to carry out a verification process.. 

[0896] A method for checking the revocation list using the 
list integrity check value ICVrev for checking the revocation 
list for tamper ing is similar to the process for generating 
the integrity check value such as ICVa or ICVb as explained in 
the above — above - de scribed Figs. 23 and 24. That is, the 
calculation is executed in accordance with the ICV calculation 
method described in Figs. 23 and 24 and other figures 7 — The 
using — as — a — key used is the integrity- check-value -gene rating 
key_j_ Kicv-rev ^stored in the internal memory 307 of the 
recording and reproducing device cryptography process section 
3021^ and using a^s — a — message — the revocation list contained in 
the content data as a message . The calculated integrity check 
value ICV-rev' and the integrity check valuer- ICV-rev ^stored 
in the header) , are compared togetherT — If and — i-# they are 
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equal, it is determined that the list hasve not been tampered 
with . 

[0897] The intermediate integrity check value L containing 

the list integrity check value ICVrev^ is generated, for 
example, by using a6 — a — key — the total-integrity-check-value- 
generating key Kicvt as a key. Kicvt is stored in the infernal 
memory 307 of the recording and reproducing device 

cryptography process section 302_. — a**3 — applying — feThe ICV 

calculation method described in Fig. 7 and other figures is 
applied to a message string comprising the integrity check 
values A and B and list integrity check value ICVrev in the 
verified header 7 — with^ T^he content integrity check value is 
added thereto depending on the format, as shown in Fig. 25. 
[0898] The revocation list and the list integrity check 

value are provided to the recording and reproducing device 300 
via the medium 500 J_such as a DVD or a CD) , or the 
communication means 600^_ or via the recording device 400 _[such 
as a memory cardj_. In this case, the recording and reproducing 
device 300 may hold valid key data or illegally copied IDs. 
[0899] Figs. 87 and 88 show — a — flow — a #illustrate a process 

for excluding invalid recording and reproducing devices 300 in 
this configuration. Fig. 87 shows a — flow — e-f — a process for 
excluding (revoking) invalid recording and reproducing devices 
300 if a— content is provided by the medium 500 J^such as a DVD 
or a CD_)_ or the communication means 600-^ — while Fig. 88 shows 
a — flow of a process for excluding (revoking) invalid recording 
and reproducing devices 300 if a — content is provided by the 
recording device 400 J^such as a memory cardj_. 

[0900] First, the process flow in Fig. 87 will be explained. 

At step S901, the medium 500 is installed and a request is 
made for a — content, that is, a reproduction or download 
process. The process shown in Fig. 87 corresponds to a step 
executed, for example, before installation of the medium 500 
J_such as DVD or the like|_ in the recording device 400, 
followed by the download process. The download process is as 
previously described with reference to Fig. 22 and is executed 
as a step before the process flow in Fig. 22 or as a process 
inserted into this process flow. 
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[0901] If the recording and reproducing device 300 receives 

a— content via the communication means 600 ( such as a network^, 
then at step S911, a communication session with a content 
distribution service side is establishedT — and^ T^ he process 
then proceeds to step S902. 

[0902] At step S902, the revocation list (see Fig. 86) is 

obtained from the header section of the content data. In this 
list^ — obtaining process, if the content is present in the 
medium 50 0 , the control section 301 J_shown in Fig. 3)_ reads it 
out therefrom via the read section 304. If the content is 
obtained from the control section, the communication means 301 
600 shown in Fig. 3 receives it from the content distributing 
side via the communication section 305. 

[0903] Next, at step S903, the control section 301 passes 

the revocation list ^obtained from the medium 500 or the 
communication means 600_)_, to the cryptography process section 
302-- — which . Cryptography process section 302 is then caused to 
execute the check value generating process. The recording and 
reproducing device 300 internally has the revocation- 
integrity- check- value -gene rating key Kicv-revT — It calculates 
the integrity check value ICV-rev' in accordance with the ICV 
calculation method described in Figs. 23 and 24 and other 
figuresT — This is performed by applying the integrity-check- 
value-generating key Kiev-rev^ using the received revocation 

list as a message 7 a^ d. It compares the result of the 

calculation with the integrity check value-s- L ICV-rev J_stored 
in the header) . If they are equal, t rait determines that the 
list have has not been tampered with if they arc — equal (Yes at 
step S904). If the values are not equal, the recording and 
reproducing device determines that the list has been tampered 
with. In that case , and the process proceeds to step S909 to 
indicate a process error to end the process. 

[0904] Then a At step S905, the control section 306 of the 

recording and reproducing device cryptography process section 
302 causes the encryption/decryption section 308 of the 
recording and reproducing device cryptography process section 
302 to calculate the total integrity check value ICVt' . The 
total integrity check value ICVt' is generated by using as — a 
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key the system signature key Ksys as a key. Ksys is stored in 
the internal memory 307 of the recording and reproducing 
device cryptography process section 302 . and — encrypting — trThe 
intermediate integrity check value is encrypted based on the 
DES, as shown in Fig. 25. The verification process^ with each 
partial integrity check value such as the ICVa or ICVb_^ is 

omitted from the process flow shown in Fig. 87 7 . but V 

verification with these partial check values is carried out 
depending on the data format as in the process flow in the 
previously described Figs. 39 to 45. 

[0905] Then at step S906, the generated total integrity 

check value ICVt' is compared with the integrity check value 
ICVt in the header 7 — aft d. I — if they are equal (Yes at step 
S906) , the process advances to step S907. If the values are 
not equal, the recording and reproducing device determines 
that the list has been tampered with , and the process proceeds 
to step S909 to indicate a process error to end the process. 
[0906] As previously described, the total integrity check 
value ICVt is used to check all the partial integrity check 
value contained in the content data, such as the ICVa and ICVb 
and integrity check values for corresponding content blocks^_ 
which are dependent on the data' format. In this case, however, 
the list integrity check value ICVrev^ for checking the 
revocation list for tamper ing, is added to the partial 
integrity check values 7 — aftd^ Aell of these integrity check 
values are checked for tamper ing . If the total integrity check 
value equals the integrity check valuer ICVt_^_ stored in the 
header, it is determined that none of the ICVa and ICVb, the 
content block integrity check values, and the list integrity 
check value ICVrev have not been tampered with . 

[0907] Further at step S907, the revocation list, which has 

been determined to be free from tamper ing , is compared with 
the recording and reproducing device ID (IDdev) stored in this 
recording and reproducing device 300. 

[0908] If the list of invalid recording and reproducing 

device Ids^_ IDdev J^read out from the content data_)_ contains 
the identifier IDdev of this recording and reproducing device 
300 , this recording and reproducing device 300 is determined 
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to have illegally copied key data. The process then advances 
to step S909 to abort the subsequent procedure. For example, 
the process disables, for example, the execution of the 
content download process in Fig. 22. 

[0909] At step S907, if the list of invalid recording and 
reproducing device IDs IDdev is determined not to contain the 
identifier IDdev of this recording and reproducing device 300 , 
this recording and reproducing device 300 is determined to 
have valid key data. The process proceeds to step S908 to 
enable the subsequent procedure, for example, the program 
executing process or the content download process in Fig. 22 
or other figures. 

[0910] Fig. 88 shows a process executed to reproduce 

content data stored in the recording device 400^_ such as a 
memory card. As previously described, the recording device 400 
J_such as a memory card_)_ and the recording and reproducing 
device 300 carry out the mutual authentication process 
described in Fig. 20 (step S921) . Only if the mutual 
authentication is successful at step S922- r does the process 

proceed* to step S923 and the subsequent processing 7 

Wwhereas if the mutual authentication fails, an error occurs 
at step S930 to prevent the subsequent processing from being 
executed . 

[0911] At step S923, the revocation list (see Fig. 86) is 
obtained from the header section of the content data. The 
processing at the — subsequent steps S924 to 930 is similar to 
the corresponding processing in Fig. 87. That is, the list is 
verified with the list integrity check value (S924 and S925) 
and with the total integrity check value (S926 and S927)t — a-n€k_ 

the The list entry is compared with the recording and 

reproducing device ID IDdev (S928). Then, if the list of 
invalid recording and reproducing device Ids_^_ Iddev^ contains 
the identifier IDdev of this recording and reproducing device 
300 , this recording and reproducing device 300 is determined 
to have illegally copied key data . Then 7 — a**d the process then 
advances to step S930 to abort the subsequent procedure. For 
example, the process disables, for example, the execution of 
the content reproduction process in Fig. 28. On the other hand, 


- 237 - 


if the list of invalid recording and reproducing device Ids_^ 
Iddev_^_ is determined not to contain the identifier IDdev of 
this recording and reproducing device 300 , this recording and 
reproducing device 300 is determined to have valid key data, 
and the process proceeds to step S92 9 to enable the subsequent 
procedure . 

[0912] As described above, according to the present data 
processing apparatus, the data identifying invalid recording 
and reproducing devices 300 , that is, the revocation list 
containing the identifiers IDdev of invalid recording and 
reproducing devices 300, is contained in the content Jprovided 
by the content provider or manager| as constituent data of the 
header section of the content data. Before using the content 
in the recording and reproducing device 300 , the recording and 
reproducing device user collates the recording and reproducing 
device ID_^_ IDdev ^stored in the memory of this recording and 
reproducing device 300) , with the ID in the list and prevents 

the subsequent processing if matching data are found. 

Consequently, the content can be prevented from being used by 
invalid recording and reproducing devices 300 that store 
copied key data in their memory. 

(18) Method for Configuring and Manufacturing Secure Chip 
[0913] As previously described, the internal memory 307 of 
the recording and reproducing device cryptography process 
section 302 or the internal memory 405 of the recording device 
400 holds important information such as the cryptography keys 
and thus needs to be structured to reject external invalid 
reads. Thus, the recording and reproducing device cryptography 
process section 302^ and the recording device cryptography 
process section 401^_ are configured as a tamper resistant 

memory_. The tamper resistant memory is characterized to 

restrain external illegal reads in that it comprises, for 
example, a semiconductor chip that rejects external accesses 
and has a multilayer structure, an internal memory sandwiched 
between dummy layers of aluminum or the like or arranged in 
the lowest layer, and a narrow range of operating voltages 
and/or frequencies . 
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[0914] As understood from the above description, however, 
data such as the recording and reproducing device signature 
key (Kdev) , which vary depending on the recording and 
reproducing device 300, must be written to the internal memory 
307 of the recording and reproducing device cryptography 
process section 302. Additionally, data rewrites or reads must 
be difficult after individual information for each chip— J^for 
example, identification information (ID) and encryption key 
information^ has been written to a non-volatile storage area 
in the chip, for example, a flash memory or an FeRAM, for 
example, after shipment. 

[0915] A conventional method for making data reads and 
rewrites difficult comprises, for example, making a data write 
command protocol secret^ or separating signal lines on the 
chip for accepting the data write command from communication 
signal lines used after completion of the product^ so that the 
data write command will not be effective unless the signal is 
directly transmitted to the chip on a substrate . 

[0916] Even with such a conventional method, however, those 
who have a technical knowledge of storage elements can output 
signals to a data write area of the chip if they have a 
facility and a technique for driving the circuit, and even if 
a data write command protocol is secret, there is always a 
possibility that the protocol may be analyzed. 

[0917] Distribution of elements for storing cryptography 
process data^_ which allow secret data to be modified^ may 
threaten the entire cryptography process system. In addition, 
to prevent data from being read out, it is possible to avoid 
implementing the data read command. In this case, however, 
even if a regular data write has been executed, it 4rS — may be 
impossible to determined whether or not the written data has 

been accurately written— This can result ing in a — the 

possibility of supplying chips with inappropriate data written 
thereto . 

[0918] In view of these conventional techniques, the 
present invention provides a secure chip configuration that 
enables data to be accurately written to a non-volatile memory^ 
such as a flash memory or an FeRAM^ while restraining data 
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from being read out therefrom, as well as a method for 
manufacturing such a secure chip. 

[0919] Fig. 89 shows a security chip configuration 

applicable to, for example, the above above- described 

recording and reproducing device cryptography process section 
302^ or the cryptography process section 4 01 of the recording 
device 400. Fig. 89(A) shows a security chip configuration 
formed during a chip manufacturing process, that is, during a 
data write process 7 — and Fig. 89(B) shows an example of the 
configuration of a product^ such as the recording and 
reproducing device 300 or the recording device 400^_ which has 
a security chip mounted in the product and having data written 
thereto . 

[0920] During the manufacturing process, a process section 
8001 of the security chip has mode specifying signal lines 
8003 and various command signal lines 8004 connected thereto 
and . It writes or reads data to or from a storage section 8002 

Storage section 8002 comprising comprises a non-volatile 

memoryT — Data is written or read depending on, for example, 
whether the chip is in a data write mode or a data read mode. 

[0921] On — fc&e — other — hand, iln the security chip mounted 

product in Fig. 89(B), the security chip is connected to an 
externally connected interface, peripheral equipment, and 
other elements via general purpose signal lines 7 — whereas 
tThe mode signal lines 8003 are not connected. Specific 
processing for the mode signal lines 8003 includes connecting 
these lines 8003 to -fefee — ground, increasing the voltage on 
these lines to Vcc, cutting them, sealing them with an 
insulator resin, etc. Such processing hinders the mode signal 
lines 8003 in the security chip from being accessed after 
shipment, thereby preventing data from being externally read 
out from the chip or written thereto. 

[0922] Further, the security chip 8000 of this 

configuration hinders data from being written to the storage 
section 8002 while hindering written data from being read out 
therefrom, thereby preventing invalid data writes or reads 
even if a third person successfully accesses the mode signal 
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lines 8003. Fig. 90 shows a process flow of a data write to^_ 
or a data read from L the. security chip of this configuration. 
[0923] At step S951, the mode signal lines 8003 are set for 
a data write or read mode. 

[0924] At step S952, authentication information is taken 
out from the chip. The security chip of this configuration 
stores information required for the authentication process, 
such as a password and key information for the authentication 
process for the cryptography technique, for example, by wires 
or the mask ROM configuration. At step S952, this 

authentication information is read out to execute the 

authentication process. If, for example, a regular data write 

jig and data read device are connected to the general purpose 
signal lines to execute the authentication process, the 
authentication will be successful (Yes at step S953) . If, 
however, an invalid data write jig and data read device are 
connected to the general purpose signal lines to execute the 
authentication process, the authentication will fail (No at 
step 5953)^ and the process is stopped. The authentication 
process can be executed, for example, in accordance with the 
mutual authentication process procedure previously described 
in Fig. 13. The process section 8001_^_ shown in Fig. 89(A)_^ has 
a configuration capable of such an authentication process. 
This can be implemented, for example, using a configuration 
similar to a command register integrated into the control 
section 403 of the cryptography process section 401 of the 
recording device 400 _[shown in the previously described Fig. 
29J_. For example, the process section of the chip in Fig. 
89(A) has a configuration similar to the command register^ 
integrated into the control section 403 of the cryptography 
process section 401 of the recording device 400 shown in Fig. 
29t — It and carries out an appropriate process to enable the 
authentication process sequence to be executed— in response to 
an input of a predetermined command from an apparatus 
connected to the various command signal lines 8004. 

[0925] Only — irf — fc-he — authentication — process — i-s — success ful , 
Ttrhe process section 8001 accepts the data write or read 
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command to execute the data write (step S955) or read (step 
S956) process only if the authentication process is successful 
[0926] As described above, the security chip of this 
configuration is configured to execute the authentication 
process on a data write or read, thereby preventing an 
unauthorized third person from reading or writing data to or 
from the storage section of the security chip. 

[0927] Next, Fig. 91 shows an embodiment of a securer 

element configuration. In this example, the storage section 
8200 of the security chip is separated into two areast^ Oone 
of the areas is a Read Write (RW) area 8201^_ to and from which 
data can be written and read to and from. — _ whilc — feThe other 
section is a Write Only (WO) area 8202 to which data can only 
be written to . 

[0928] In this configuration, cryptography key data, ID 

data, and other data which require high security are written 
to , the Write Only (WO) — area 8202, whereas integrity check data 
and other data which do not require so high security are 
written to the Read Write (RW) area 8201. 

[0929] As a process for reading data out from the Read 
Write (RW) area 8201, the process section 8001 executes a data 
read process involving the authentication process described in 
the above described Fig. 90. The data write process, however, 
is executed following the flow in Fig. 92. 

[0930] At step S961 in Fig. 92, the mode signal lines 8003 

are set for the write mode 7 and^ Ae t step S962, an 

authentication process^ similar to that described in the above 
Fig. 90_^_ is executed. When the authentication process is 
successful, the process proceeds to step S963 to output to the 
process section 8001, a command for writing information such 
as key data which requires high security to the Write Only 
(WO) area 8202 via the command signal lines 8004, while 
writing check data or other data_^ which do not require ase 
high a_security L to the Read Write (RW) area 8201. 
[0931] At — step S964, — oOn receiving the command, the process 
section 8001 executes a data write process at step S964. This 
is done on the Write Only (WO) area 8202 or the Read Write 
(RO) area 82 01^_ depending on the command. 
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[0932] In addition, Fig. 93 shows a — flow — — a process for 
verifying data written to the Write Only (WO) area 8202. 
[0933] At step S971 in Fig. 93, the process section 8001 
causes the Write Only (WO) area 8202 to execute the 
cryptography process based on the written data. Like the above 
authentication process executing configuration, this execution 
configuration is implemented by a configuration for 
sequentially executing the cryptography process sequence 
stored in the command register. Additionally, the cryptography 
process algorithm executed in the process section 8001 is not 

particularly limitedT btnt_^ F# or example, the previously 

described DES algorithm can be carried out. 

[0934] Then at step S972, a verification device ^connected 
to the security chip_)_ receives the result of the cryptography 
process from the process section 8001. Then at step S973, the 
result of the application of a cryptography process J_similar 
to the algorithm executed by the process section 8001_)_ on the 
regular write data written to the storage section at step S973 
is compared with the result of encryption from the process 
section 8001 . 

[0935] If the compared results are identical, it is 

verified that the data written to the Write Only (WO) area 
8202 arc is correct. 

[0936] With this configuration, if the authentication 
process should be deciphered to enable the read command to be 
executed, data can be read out only from the Read Write (RW) 
area 8201, while data written to the Write Only (WO) area 8202 
cannot be read out-p — T^ thus this configuration provides much 
higher security. In addition, unlike chips that prohibit data 
reads, this chip includes the Read Write (RW) area 8201 to 
enable memory accesses to be validated. 

[0937] This invention has been described with reference to 
the particular embodiments. Obviously, however, modifications 
or substitutions may be made to the present invention by those 
skilled in the art without deviating from the spirits thereof. 
That is, the present invention has been disclosed for 
illustrative purposes only and should not be interpreted in a 
restrictive manner. In addition, in the above described 
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embodiments, the recording and reproducing device^ capable of 
recording and reproducing contents-^ arc is described by way of 
example. However, the configuration of the present invention 
is applicable to apparatuses capable of only either recording 

or reproducing dataT a**^L_ _Tthe present invention can be 

implemented in personal computers, game apparatuses, and other 
various data processing apparatuses in general. i J L e — determine 
the — points — &4 — fe-he — present — invention, — t-ke — claims — set — forth — at 
the beginning should be referenced. 

[0938] Although the invention herein has been described 

with reference to particular embodiments, it is to be 
understood that these embodiments are merely illustrative of 
the principles and applications of the present invention. It 
is therefore to be understood that numerous modifications may 
be made to the illustrative embodiments and that other 
arrangements may be devised without departing from the spirit 
and scope of the present invention as defined by the appended 
claims . 

Industrial Applicability 

34*e — present — invention — can bo — utilized — ana — apparatuses — a**d 

systems — which — a^e — capable — e-f — reproducing — various — contents — such 
es — sounds , — images , — games , — and — programs , — which — can — be — obtained 
via — a — storage medium, — such as — a — DVD and — a — — or via — various 
wired — and — radio — communication — means — such — as — CATV, — Internet , 
a-nd — satellite — communication, — in a — recording — a**d — reproducing — a 

us e r — has , aftd — storing — feke — contents — ift — a — sp e cial — recording 

device, — such as a memory card, — a hard disk, — and a CD - R, — and at 
the — same — time, — &€ — offering — security — i-n — which — the — utilization 
that a — cont e nts provider wants — ±-s — limited in the — case — of using 
the contents — stored in the recording device, — and a third party 
other than — regular users — i-s — prevented — from illegally using the 
provided contents . 
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Expl 

anation of Reference Numerals 


106. 

..main CPU, 107... RAM, 108... ROM, 109... AV process 

section, 

110. 

..Input process soctioninter f ace (I/F), 111...PIO, 

112 . 

. . oiu, ouu . . . recording ana reproducing 

ae vi ce , 

301 . 

. .control section, juz . . . crypuograpny process 

section , 

303. 

..recording device controller, 304... read 

section, 

305. 

. .communication section, 306. . .control 

section, 

307 . 

. .internal memory, 308. . .encryption/decryption 

section, 

400. 

..recording device, 401 ... cryptography process 

section, 

402. 

. .external memory, 403. . .control 

section, 

404. 

. .communication section, 405. . .internal 

memory, 

406. 

. . encryption/decryption section, 407 .. . external 

memory 

cont 

rol section, 500 .. .medium, 600 communication means, 2101, 

2102 

, and 2103 ... recording and reproducing devices, 2104, 2105, 


and 210 6. . .recording devices, 2901. . .command number managing 

section, 2 902 ... command register, 2903 7 and 

2904 . . . authentication flags, 3001 . . . speaker, 3002 . . .monitor, 
3090 .memory, 3091 ... content analysis section, 3092... data 
storage section, 3093 ... program storage section, 

3094 ... compression and decompression process section, 
7701 ... content data lD, 7702 ... revocation list, 7703... list 
integrity check value, 8000 ... security chip, 8001 ... process 
section, 8002 ... storage section, 8003... mode signal line_s, 
8004 ... command signal lines, 8201... read and write area, 
8202... write only area. 
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(AMENDED) A data processing apparatus for processing 
content data provided by a recording or communication medium, 
characterized in that said apparatus compriaco comprising : 

a cryptography process section for executing a 

cryptography process on said content data; and 

a control section for executing control for 

said cryptography process section, and 

: — wherein said cryptography process section: 

atrs — configured — fe-e — generates partial integrity 

check values as integrity check values for a partial data 
set , said partial' data set containing one — e-r — more — partial 
data obtained by a content data-constituting section — into — a 
plurality of parts , and to 

collates said thc generated integrity check values to 
verify said partial data, and 

generates an intermediate integrity check value 
based on a partial integrity check value set data — string 
containing at least one — more of said partial integrity 
check values, and 

—uses said the generated intermediate integrity 

check value to verify the — cntircty the of — the plurality of said 
partial data set-s — corresponding — fee — the — plurality — e£ — partial 

integrity — check — values — constituting said — partial — integrity 

check value — set . 

2. (AMENDED) The data processing apparatus according to 
Claim 1, characterized in that wherein : 

said partial integrity check values is are generated 
by means of a— said cryptography process with a partial -check- 
value-generating key applied thereto, using said partial data 
to be checked, — as a message— j_ 

said intermediate integrity check value is generated 
by means of a— - said cryptography process with a** general-check- 
value-generating key applied thereto, using asaid partial 
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integrity check value set data — string — to be — checked, — as a— said 
me s s age-; — ; and 

said cryptography process section is configured to 
store said partial integrity -check -value -gene rating value — key 
and said general integrity -check -value -generating key. 

3. (AMENDED) The data processing apparatus according to 

Claim 1, characterised ±n that : wherein said cryptography 

process has plural types of partial-check-value-generating 
keys corresponding to generated — said partial integrity check 
values. 

4. (AMENDED) The data processing apparatus according to 
Claim 2, characterized in that wherein : 

said cryptography process is a DES cryptography 
process, and 

said cryptography process section is configured to 
execute said thc DES cryptography process. 

5. (AMENDED) The data processing apparatus according to 
Claim 2, charactcri zed — in that wherein : 

said partial integrity check values io are a— message 
authentication codes (MAC) — generated in a DES-CBC mode using 
said partial data to be checked— as a— said message; — 

said intermediate integrity check value is a — one of 
said message authentication codes (MAC) — generated in a — said 
DES-CBC mode using a — said partial integrity check value set 
data string to be checked, as a— said message, . and 

said cryptography process section is configured to 
execute said thc cryptography process in said thc DES-CBS mode. 

6. (AMENDED) The data processing apparatus according to 
Claim 5, characterised — i-H — that : wherein Triple DES is applied 
in part of a message string to be processed in said thc DES-CBC 
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mode baocd cryptography proccao conf igurat i on &4 oaid 

cryptography — proccao — occt ion, — Triple — BBS — i-s — applied — only — in 
part of — a mcooagc — string to be processed . 

7. (AMENDED) The data processing apparatus according to 
Claim 1, characterized in that further comprising : 

oaid — data — processing — apparatus — has — a signature key— 
wherein: and 

said cryptography process sections is configured to 
apply a value generated from said intermediate integrity check 
value by means of said signature key applied — cryptography 
proccoo as a collation value for data verification. 

8. (AMENDED) The data processing apparatus according to 
Claim 7, characterized in that wherein : 

said signature key data proecooing apparatus has 

includes a plurality of different signature keys — as — oignaturc 
kcyo , — ; and 

said cryptography process sections is configured to 
apply one of said plurality of different signature keys_^ which 
is selected depending on a localization of said content data, 
to said thc cryptography process for said intermediate 
integrity check value to obtain said thc collation value for 
data verification . 

9. (AMENDED) The data processing apparatus according to 
Claim 8, characterized in that: — oaid data processing apparatus 
hae f urther comprising : 

—a common signature key common to all entities of a 
system for executing a data verifying processj_ and 

an apparatus-specific signature key specific to each 
apparatus that executes a— said data verifying process. 
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10. (AMENDED) The data processing apparatus according to 
Claim 1, characterized in that wherein : 

said partial integrity check values contains at 
least one ss? — more — header section integrity check values 
generated — for — intra header section — data — partly — oonotituting 
data and at least one or more content integrity check values^ 
said at least one header section integrity check value being 
generated for intra-header- sect ion data partly constituting 
data and said at least one content integrity check value being 
generated for content block data partly constituting said thc 
data-; — j_ and 

said cryptography process is configured to generate 
at least one or more header section integrity check values for 
a — said partial data set in said intra-header- section data to 
execute a collation process, generate at least one — es? — more 
content integrity check values for a — said partial data set in 
said intra-content -section data to execute a — said collation 
process, and further generate a general integrity check value 
based on all of said header section integrity check values and 
said content integrity check values — generated, to execute et 
said collation process in order to verify said thc data. 

11. (AMENDED) The data processing apparatus according to 
Claim 1, characterized in that wherein : 

said partial integrity check values contains at 

least one &r — more header section integrity check values 

generated for intra-header- sect ion data partly constituting 
data-? — ; and 

said cryptography process is configured to generate 
at least one or more header section integrity check values for 
a — said partial data set in said intra-header- sect ion data to 
execute a collation process and further generate a general 
integrity check value based on said at least one — S3? — mor e 
header section integrity check values generated and on content 
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block data constituting part of said data, to execute a — said 
collation process in order to verify saidtfee data. 

12. (AMENDED) The data processing apparatus according to 
Claim 1, characterized — fey — further comprising-^ a recording 
device for storing data validated by said cryptography process 
section . 

13. (AMENDED) The data processing apparatus according to 
Claim 12 , characterized in that wherein : 

said control — section — i-s — configured so — that — i€ — in — the 

proccsa executed — fey said cryptography — process section to 

collate — fehe — partial — integrity — check — value , — fche — collation — i-e 
not established, — and 

— said control section suspends the — process — for — storing of 

said data in said recording device if a process of collating 
said partial integrity check values is not established in said 
cryptography process executed by said cryptography process 
section . 

14 . (AMENDED) The data processing apparatus according to 
Claim 1, char act or i god — fey — further comprising-:- a reproduction 
process section for reproducing data validated by said 
cryptography process section. 

15. (AMENDED) The data processing apparatus according to 
Claim 14, characterised in that wherein : 

irf — 3tBl — fc-he — process — executed — fey — said — cryptography — process 

section — fee — collate — the — partial — integrity — check — valu e , the 

collation is not — established, — and 

said control section suspends the — reproduc ing of 
said data reproduction — process in said reproduction process 
section if a process of collating said partial integrity check 
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values is not established in said cryptography process 


executed by said cryptography process section . 


16 . (AMENDED) The data processing apparatus according to 
Claim 14, further comprising: 

control means for collating only tnhe — header section 
integrity check values in said thc data during said thc 
cryptography process executed by said cryptography process 
section to collate said thc partial integrity check valuesj_ and 

transmitting to said reproduction process section 
said data for which collation of said thc header section 

integrity check values has been established-? fee said 

reproduction process — section — for — reproduction . 

17. (AMENDED) A data processing apparatus for processing 
content data provided by a recording or communication medium, 
characterized in that said apparatus comprioco comprising : 

a cryptography process section for executing a 
cryptography process on said content data; and 

a control section for executing control for said 
cryptography process section, an d wherein 

if data to be verified is encrypted data said 
cryptography process section-: — i-s — configured — feo generates-? — i# 
data — £e> — be — verified — a^ee — encrypted, integrity check values for 
said th c data — be — verifi e d — by means of a signature data- 

applied cryptography process from data on arithmetic 

operation results obtained by executing an arithmetic 
operation process on decrypted data obtained by executing a 
decryption process on said thc encrypted data. 

18. (AMENDED) The data processing apparatus according to 

Claim 17, charac tori sod that : wherein said arithmetic 

operation process comprises performing an exclusive-OR 
operation on said decrypted data every at predetermined bytes , 
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said thc decrypted data being obtained by decrypting said 
encrypted data . 

19. (AMENDED) A data processing method for processing 
content data provided by a recording or communication medium, 
characterized in that said method comprising : 

generated — generating partial integrity check values 
as integrity check values for a partial data set , said partial 
data set containing eae — ©6? — more — partial data obtained by a 
content data^const itut ing section into a plurality of parts, — j_ 

and — collates — collating the — generated — said integrity 
check values to verify said partial data-? — and^ 

generates — generating an intermediate integrity check 
value based on a partial integrity check value set data — string 
containing at least one — e^ — more of said partial integrity 
check values-; — ; and 

verifying said the entirety — e# — fe-he — plurality — e# 
partial data set^ corresponding to the — plurality — &€ — said 
partial integrity check values using said intermediate 

integrity check value, constituting said — partial — integrity 

check value — set . 

20. (AMENDED) The data processing method according to Claim 
1 9 , characterized in that wherein : 

said partial integrity check values is are generated 
by means of a cryptography process with a partial -check-value- 
generating key applied thereto, using said partial data as a 
message-; — ; and 

said intermediate integrity check value is generated 
by means of a— said cryptography process with an general -check- 
value-generating key applied thereto, using a — said partial 
integrity check value set data — string to be — checked, as a— said 
message . 


7 


21. (AMENDED) The data processing method according to Claim 
20, char actcri zed — in — that : wherein said partial integrity check 
values 4rs — are generated by applying different types of said 
partial -check-value-generating keys- corresponding to generated 
partial integrity check values. 

22. (AMENDED) The data processing method according to Claim 
2 0 , characterized in that r wherein said cryptography process is 
a DES cryptography process. 

23 . (AMENDED) The data processing method according to Claim 
1 9 , characterized in that where in : 

said partial integrity check value s include -drs — a 
message authentication code — (MAC) generated in a DES-CBC mode 
using said partial data to be checked, — as a message- — ; and 

said intermediate integrity check value is a — said 
message authentication code (MAC) — generated in ar— said * DES-CBC 
mode using a — said partial integrity check value set data 
string to be — checked, — as saida message. 

24. (AMENDED) The data processing method according to Claim 
19, characterized — i** — that : wherein a value generated from said 
intermediate integrity check value by means of a signature 
key-applied cryptography process is applied as a collation 
value for data verification. 

25. (AMENDED) The data processing method according to Claim 
24 , characterized in that : wherein different signature keys are 
applied to said thc cryptography process for said intermediate 
integrity check value depending on a localization of — said 
content data, said different signature keys being applied to 
obtain said thc collation value for data verification. 
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26. (AMENDED) The data processing method according to Claim 
2 5 , characterized in that further comprising : 
selecting and using one of 

a common signature key common to all entities of a 
system for executing a data verifying process^ o^and 

—an apparatus-specific signature key specific to 
each apparatus that executes ar- said data verifying process^ 

said selecting step being based 4-s — oclcctcd and used 
ars — said — signature — key — depending — on the localization of said 
the content data * 

-2-8-2 7 . (AMENDED) The data processing method according to 

Claim 19, wherein characterized in that 

said partial integrity check values contains at 
least one — — more header section integrity check values 
generated for intra-header section data partly constituting 
data and at least one — e*? — more content integrity check values- 
generated for intra-content section data partly constituting 
said thc dataj_— and said method further comprising: 
a data verifying process : 

generates — generating at least one — or more header secti on 

integrity check values for said a partial data set in said 
intra-header-section data to execute a collation process; 

generates . generating at least one — ea? — more content 
integrity check values for said a partial data set in said 

intra-content-section data to execute a said collation 

process ; and 
; and 

generating further — generates a general integrity 

check value based on all of said header section integrity 
check values and said content integrity check values 
generated , said general integrity check value being operable 
to execute ar- said collation process in order to verify said thc 
data. 
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28. (AMENDED) The data processing method according to Claim 
1 9 , wherein charactcrizcd in that : 

said partial integrity check values contains at 

least one e¥ — more header section integrity check values 

generated for intra-header section data partly constituting 
data, said method further comprising :^ nd 

generates 

generating at least one — more — header section 
integrity check values for asaid partial data set in said 
intra-header-section data to execute a collation process; and 

further — generates generating a general integrity 

check value based on said at least one or more header section 
integrity check values generated — and on content block data 
constituting part of said data, said general integrity check 
value being operable to execute a — said collation process in 
order to verify said thc data. 

29. (AMENDED) The data processing method according to Claim 

19, characterised by further comprising-: a™ — process for 

storing, — after — data — verification, storing validated data after 
verifying said partial data set . 

30. (AMENDED) The data processing method according to Claim 
2 9 , characterized — in — that ; further comprising suspending said 
storing of said validated data if 4^rt — the process — for collating 
of said partial integrity check values-? — fefee — collation is not 

established-7 control is executed ouch — as fere suspend — the 

process — for storing data — in said recording device . 

31. (AMENDED) The data processing method according to Claim 
19, characterised — by — further comprising: a — data — reproduction 
process — for reproducing data after verifying said thc partial 
data vcrif i cat i on set . 
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32. (AMENDED) The data processing method according to Claim 
3 1 , characterized in that further comprising : 

suspending said reproducing of said data if 
collating of said partial integrity check values is not 
established . 

4r€ — — the — proccoa — — collating — said — partial — integrity 
check value, — the collation is not established, — and 

control — ±s — executed — ouch — a-s — te — suspend — the — reproduction 

process executed in said reproduction process — section. 

33. (AMENDED) The data processing method according to Claim 
3 1 , characterised in that — said mcthod wherein : 

said collating of said thc partial integrity check 
values only collates header section integrity check values and 
transmits said data for which collation of said thc header 
section integrity check values has been established— to said a 
reproduction process section for reproduction. 

34. (AMENDED) The — A data processing method for processing 
content data provided by a recording or communication medium, 
the method being char act or i zed — in that — said mctho d comprising : 

decrypting encrypted data to be verified to obtain 
decrypted data; 

4r£ data to — fee — verified — ar e encrypted, executes 

executing an arithmetic operation process on said decrypted 
data to obtain results obtained — by — decrypting — the — encrypted 
data, ; and 

executes executing a signature key-applied 

cryptography process en data — on said ar ithmct ic — operation 

results — obtained — by — said — arithmetic — operation, to generate 
integrity check values for said data to be verified. 


11 


35. (AMENDED) The data processing method according to Claim 
34, characterised — is — that : wherein said arithmetic operation 
process comprises performing an exclusive-OR operation on said 

decrypted data every — at predetermined bytes-; fc-he — decrypted 

data being obtained by decrypting oaid encrypted data . 

36. (AMENDED) A data verifying value imparting method for a 
data verifying process, characterized — irn — that — said method 
comprising : 

imparts — imparting partial integrity check values as 
integrity check values for a partial data set , said partial 
data set containing one — e-a? — more — partial data obtained by a 
content data^— const ituting section — into a — plurality — — parte , 
2 and 

imparts imparting -fee data t-e verified, an 

intermediate integrity check value to data to be verified, 
said intermediate integrity check value being used to verify a 
partial integrity check value set data — string — containing at 
least one or more of said partial integrity check values. 

37. (AMENDED) The data verifying value imparting method 
according to Claim 36, characterized in that wherein : 

said partial integrity check values is are generated 
by means of a cryptography process with a part ial -check-value- 
generating key applied thereto, using said partial data te — be 
checked, — as a message— j_ and 

said intermediate integrity check value is generated 
by means of a — said c ryp t ogr aphy process with a** — a general- 
check- value -generating key applied thereto , using a said 

partial integrity check value set data — string — fee — be — checked, 
as ar -said message . 

38. (AMENDED) The data verifying value imparting method 
according to Claim 37, characterized — i*i — that : wherein said 
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partial integrity check values 4r& — are generated by applying 
different types of said partial -check -value -generating keye 

corresponding to generated said partial integrity check 

values. 

39. (AMENDED) The data verifying value imparting method 

according to Claim 37-, characterised — ±¥± — that : wherein said 

cryptography process is a DES cryptography process. 

40. (AMENDED) The data verifying value imparting method 
according to Claim 36, characterised in that wherein : 

said partial integrity check values 4r3 — include a 
message authentication code (MAC) — generated in a DES-CBC mode 
using said partial data to be — checked, — as a message-; — ; and 

said intermediate integrity check value is a — said 
message authentication code (MAC) — generated in a — said DES-CBC 
mode using a — said partial integrity check value set data 
string to be checked, — as ar- said message. 

41. (AMENDED) The data verifying value imparting method 
according to Claim 36-; — characterized — ±n — that : wherein a value 
generated from said intermediate integrity check value by 
means of a signature key-applied cryptography process is 
applied as a collation value for data verification. 

42. (AMENDED) The data verifying value imparting method 
according to Claim 41, characterized — — that : wherein different 
signature keys are applied to the — said cryptography process 
for said intermediate integrity check value to obtain said 
collation value, said different signature keys being applied 
depending on a localization of said — content data-; — fee — obtain 
the collation value — for data verification . 
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43. (AMENDED) The data verifying value imparting method 

according to claim 42, character i zed that f urther 

comprising : 

selecting either a — common signature key common — fee 

all entities e§ a system — for — executing — a — data — verifying 

process — or an apparatus-specific signature key specific — fee 

each — apparatu s that executes — a — data — verifying — process is 

selected — a**d — used — as one of said different signature keys 
depending upon the localization of the said content data , said 
common signature key being common to all entities of a system 
for executing said data verifying process, and said apparatus- 
specific signature key being specific to each apparatus that 
executes said data verifying process . 

44. (AMENDED) The data verifying value imparting method 
according to Claim 36, characterized in that wherein : 

said partial integrity check values contains at 
least one or more header section integrity check values for — if* 
intra-header section data partly constituting data and at 
least one or more content integrity check value s generated for 
intra-content-section data partly constituting said thc data, 
and 

said method is — sefe — so that f urther comprising: 
generating a general integrity check value is 
generated to verify said data for all said at least one header 
section integrity check values and said at least one content 
integrity check values-? — to verify the data . 

45. (AMENDED) The data verifying value imparting method 
according to Claim 36, characterised in that wherein : 

said partial integrity check values contains at 
least one — ea? — more header section integrity check values for 
intra-header-section data partly constituting data, and 

said method further comprising : 
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generating a general integrity check value i-s 
generated — to verify said data, said general integrity check 
value being generated for said at least one — en? — more header 
section integrity check values and content block data partly 
constituting said data-? — to verify the data . 

46. (AMENDED) A recording program providing medium for 

providing recorded with a computer program for — causing — a — data 
verifying — process — fere — be — executed executing a data verifying 
process having certain actions, said actions comprising — en — a 

computer — system — fee — verify — that — data — arc — valid, the — program 

providing — medium — being — characterized — if* — that — said — computer 
program comprises — steps of : 

executing a collation process using partial 
integrity check values generated as integrity check values for 

a partial data set containing one es? — more — partial data 

obtained by dividing data a plurality of parts, — ; and 

using an intermediate integrity check value based on 
a — partial — integrity — check value — set — obtained — by — combining — a 
plurality — o€ — said — partial — integrity — check — values — together, — to 
verify the — entirety — e£ — a — plurality — ef — said partial data sets^_ 
said intermediate integrity check value being based on a 
partial integrity check value set obtained by combining at 
least some of said partial integrity check values together, 
and said partial data set corresponding to said thc plurality 
o£ — partial integrity check values constituting said partial 
integrity check value set . 

47. (AMENDED) A data processing apparatus^ comprising: 

an encryption processing section that executes 
encryption processing including e# at least one of data 
encryption, data decryption, data verification, authentication 
processing and signature processing; and 
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a storage section that stores master keys to 
generate keys used for said encryption processing, 

characterized ±*i that wherein said encryption 

processing section is configured to generate individual keys 
for executing ncccooary — fce> — execute said encryption processing 
based on one of said master keys, an encryption processing 
target apparatus^ and en? data identification data. 

48. (AMENDED) The data processing apparatus according to 
Claim 47, character i zed in that wherein: 

said data — processing — apparatus — i-s — a — data — processing 
apparatus — that — encryption processing section performs said 
encryption processing on transfer data via a storage medium or 
a c ommun i c a t i on me d i urn™ j_ 

said storage section stores a distribution key 
generation master key MKdis for generating a distribution key 
Kdis , said distribution key Kdis being used for said 
encryption processing of said transfer data-? — ; and 

said encryption processing section executes said 
encryption processing based on said the distribution key 
generation master key MKdis stored — in — said — storage — section and 
a data identifier, said data identifier which — i-s including 
identification data of said transfer data — a*id — generates — said 
transfer data distribution key Kdis . 

49. (AMENDED) The data processing apparatus according to 
Claim 47 , wherein: - — characterized in that 

— said data processing apparatus i-s — a — data — processing 

apparatus that performs authentication processing of an 

externally connected apparatus to/ from which data is 

transferred to or from —; 

said storage section stores an authentication key 
generation master key MKake for generating an authentication 
key Kake of said externally connected apparatus-; — ; and 
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said encryption processing section executes said 
encryption processing based on said the authentication key 
generation master key MKake stored — i^at — oaid storage — aoction and 
an externally connected apparatus identifier, said externally 

connected apparatus identifier including which 

ident if ication data of said externally connected apparatus and 

gencratco the authentication — key — Kakc e-§ said externally 

connected apparatus . 

50. (AMENDED) The data processing apparatus according to 
Claim 4 7 , wherein : 

characterised in that said encrypt ion data processing 

sect ion apparatuo — i-s — a — data — processing — apparatuo — that performs 
said signature processing on data~j_ 

said storage section stores a signature key 
generation master key MKdev for generating a data processing 
apparatus signature key Kdev of said data processing 
apparatus-? — ; and 

said encryption processing section executes said 
encrypt ion signature processing based on said the signature key 
generation master key MKdev stored — i-n — said storage — section and 
a data processing apparatus identifier, said data processing 
apparatus identifier including which — i-s identification data of 

said data processing apparatus and generates fcfee data 

processing apparatus signature key Kdev e£ oaid data 

processing apparatuo . 

51. (AMENDED) The data processing apparatus according to 
Claim 47, wherein said encryption processing section performs 
characterised — ±¥i — that — individual key generation processing 
that to generates an said individual keys necessary to — execute 
for executing said encryption processing based on said master 
keys and identification data — &€ — the — apparatus — ea? — data — oubj cct 
^ — encryption — processing — i-s, said encryption processing that 
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useg ing said € tfe — least — p a rt — e€ — identification data e£ — the 

apparatuo e*= — data subj cct fee encryption — processing — as a 

message and applied applying said master keys as the 

encryption keys . 

52 . (AMENDED) The data processing apparatus according to 

Claim 51, characterised that wherein said encryption 

processing is encrypt ion proccooing uoing uses a DES algorithm. 

53. (AMENDED) A data processing system — configured — fey — a 
plurality — ef — data — processing — apparatuses , charac tori zed — 
feteb comprising : 

a plurality of data processing apparatuses; 

each e€ oaid plurality e-f data processing 

apparatuses — having a common master key to generate a key used 
for encryption processing including o# at least one of data 
encryption, data decryption^ data verification, authentication 
processing and signature processing, each of said plurality of 
data processing apparatuses having said common master key; and 

each said plurality ef data processing 

apparatuses generating a common individual key for 

executing ncccssary to — execute said encryption processing based 
on said master key and identification data , each of said 
plurality of data processing apparatuses generating said 
common individual key — &€ — the — apparatus — er — data — sub j cct — fee 
encryption processing . 

54. (AMENDED) The data processing system according to Claim 
53 , characterized in that further comprising : 

said — plurality — ef — data — proccooing — apparatuses — ts- 
conf igured — by a contents data providing apparatus operable to 
configure said plurality of data processing apparatuses and to 
supply that oupplics contents data_^ and 
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a contents data utilization apparatus that utilizes 
said thc contents data, 

both said thc contents data providing apparatus and 

said contents data utilization apparatus have having a 

distribution key generation master key to generate a contents 
data distribution key , said contents data distribution key 
being used for said encryption processing of circulation 
contents data between said contents data providing apparatus 
and said contents data utilization apparatus, 

said contents data providing apparatus generates 
generating Br— said contents data distribution key based on said 

distribution key generation master key and a contents 

i dent i f i e r , said contents identifier being which i-s an 

identifier of supplied said contents data and executes 

encryption processing on said contents — data , and 

said contents data utilization apparatus generates 
generating a ^ said contents data distribution key based on said 
distribution key generation master key and said contents 
identifier-; — which — 3rs — an — identifier — — supplied — contents — data 
and executes decryption processing on said contents data . 

55. (AMENDED) The data processing system according to Claim 
54 , characterized in that wherein: 

said contents data providing apparatus has a 

plurality of — different — distribution key generation master — keys 

te> generate a plurality &€ different contents data 

distribution keys , — generates a plurality of different contents 
data distribution keys based on a said plurality of different 
distribution key generation master keys and said contents 
identifier, executes said encryption processing using said 
plurality of different contents data distribution keys^ 
generated — and generates encryption contents data — having a 
plurality of types, and 
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said contents data utilization apparatus has at 
least one of said distribution — key — generation — master — key — e# 
the plurality of different distribution key generation master 
keys_^ — owned — by — s aid — contents — data — providing — apparatus and 
makes decodable only said encryption contents data formed by a 
distribution key generated using the — some one of said different 
distribution key generation master key s that is the same as 

the a distribution key generation master key owned by the 

own an apparatus . 

56 . (AMENDED) The data processing system according to Claim 
5 3 , characterized in that further including: 

each said plurality e€ data processing 

apparatuses — stores — a — same a contents key generation master key 
to generate a contents key used for said encryption processing 
of contents data , said contents key generation master key 
being stored in each of said plurality of data processing 
apparatus es -r; 

data — processing — apparatus — A- f — which — i-s -a first one of 
said plurality of data processing apparatuses-? — ^stores — storing 
said contents data in a storage medium, said contents data 
being encrypted by a— said contents key key generated based on 
said — content s — key — generation — master — key — and the — an apparatus 
identifier of said first one of said plurality of data 
processing apparatuses data — processing — apparatus — A — in a — storage 
medium, ; and 

different — a second one of said plurality of da t a 
processing apparatuses — B generat ing e^ a — said contents key 
based on said same — contents key generation master key and 
said thc apparatus identifier of said first one of said 
plurality of data processing apparatus — A es , and execut ing ee 
decryption processing on the — encrypted — said contents data 
stored — by — said data — processing — apparatus — A in said storage 
medium based on said contents — key generated . 
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57. (AMENDED) The data processing system according to Claim 
53 , characterized in that further including: 

said — plural ity — — data — processing — apparatuses — are 
configured — fey — a host device having an authentication key 
generation master key; and 

a slave device subject to authentication processing 
by said host device, said slave device having said 
authentication key generation master key and a slave device 
identifier, said authentication key generation master key 
being used for authentication processing between said host 
device and said slave device, wherein: 

both — said — host — device — and — said — slave — device 

have an aut hent i cat ion key generation master used for 

authentication — processing — between — fefee — host — device — and — s lave 
device , 

said slave device generates an authentication key 
based on said authentication key generation master key and 
said slave device identifier, said slave device identifier 
being which — i-s — thc an identifier of said slave device and being 
stored_in a memory in of the said slave device, and 

said host device generates an — said authentication 
key based on said authentication key generation master key and 
said the slave device identifier-; — which — is — t4*e — identifier — e# 
said slave device and executes — authentication processing , and 

said plurality of data processing apparatuses are 
configured by said host device and said slave device . 

58. (AMENDED) A data processing method that executes 
encryption processing including of- at least one of data 
encryption, data decryption, data verification, authentication 
processing and signature processing, said data processing 
method comprising : 
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a — key — generating — atop — e£ — generating individual keys 
necessary — fee — execute — encryption — proccooing based on master 
keys fee — generate — fefee — key — used — — said — encryption — proccaoing 
and identification data of an externally connected fehe 
apparatus or data subject to said encryption processing; and 

a« encryption — processing — step — ef — execut ing said 

encryption processing based on the — key — generated — ana — oaid — key 
generating stcp said individual keys . 

59. (AMENDED) The data processing method according to Claim 
58 , characterized — ±¥t — fe&afe wherein said encryption processing 
data — processing — e xecuted — by — oaid — data — processing — method — is 
executed encryption — processing — on transfer data via a storage 
medium or a communication medium— j_ 

oaid — key — said step of generating said individual 
keys includes step — — a — diotribution — key — generating — otcp — e# 
executing encryption processing based on a distribution key 
generation master key MKdis for — generating — a — diotribution — key 
Kdis — used — for — encryption — processing — e#- — transfer — data — and a 
data identifier, which — ±-s — identification data — e-f — oaid — transfer 

data , — and generating a distribution key Kdis of said transfer 

data, said distribution key Kdis being used for encryption 
processing of said transfer data, and said data identifier 
including said identification data of said transfer data; and 

said encryption proccooing s tep i-9 a otcp e# 

executing said encryption processing step includes executing 
encryption processing on said transfer data based on said thc 

distribution key Kdis — generated i*=t oaid — diotribution — key 

generating otcp . 

60. (AMENDED) The data processing method according to Claim 
5 8 , wherein : characterized in that 

said encrypt ion dat a processing executed by — said data 
processing method is authentication processing of theaR 
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externally connected apparatus to / and from which said data is 
transferred— j_ 

aaid key said step of generating otcp is an 

authentication — key — generating step e #said individual keys 

includes executing said encryption processing and generating 
an authentication key Kake , said encryption processing being 
based on an authentication key generation master key MKake for 

generating an authentication key — Kake &€ said — externally 

connected apparatus and an externally connected apparatus 

identifier, said externally connected apparatus identifier 
including . which — is- said identification data of said externally 
connected apparatus— j_ and — generating — aaid — authentication — key 
Kake of — aaid externally connected apparatus, — and 

said step of executing said encryption processing 

step is includes a s tep e# executing said authentication 

processing of said thc externally connected apparatus based on 

said thc authentication key Kake generated if* said 

authentication key generating step . 

61. (AMENDED) The data processing method according to Claim 
5 8 , characterized — in that wherein: 

data said encryption processing executed by said data 
processing — apparatus — is said signature processing on said 
data— j_ 

said key said step of generating step said 

individual keys is includes a — signature — key generating — step — e# 
executing said signature encrypt ion processing based on a 
signature key generation master key Mkdev and a data 
processing apparatus identifier, and generating a data 
processing apparatus signature key Kdev of a data processing 
apparatus, said signature key generation master key Mkdev 

being operable to generate i-es? generating a said data 

processing apparatus signature key Kdev e£ said data 

processing apparatus and a data processing apparatus 
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identifier , and said data processing apparatus identifier 
being which — ts identification data of said data processing 

apparatus and generating the data processing apparatus 

signature key Kdcv of — said data processing apparatus, — ; and 

said encryption processing step — is — a — step — e# includes 
executing said signature processing on said data based on 
the said signature key Kdev — generated — in — said — signature — key 
generating step . 

62 . (AMENDED) The data processing method according to 

Claim 58, characterized 3rn that wherein said key — step of 

gene rati ng step said individual keys -i-s- includes executing said 
encryption processing — that — uses using at least part of said 
data identification of the said externally connected apparatus 
or said data subject to said encryption processing as a 
message^ and applics applying said master keys as the 
encryption keys. 

63 . (AMENDED) The data processing method according to 

Claim 62, characterized ±& that wherein said encryption 

processing -i-s — encryption processing using uses a DES algorithm. 

64 . (AMENDED) A data processing method — — a — data — processing 
system^ comprising: 

a contents data providing apparatus that supplies 
contents data , said contents data providing apparatus being 
operable to generate a contents data distribution key based on 
a distribution key generation master key and a contents 
identifier, said contents identifier being an identifier of 
said contents data and said contents data providing apparatus 
being operable to execute encryption processing on said 
contents data ; and 

a contents data utilization apparatus that utilizes 
the said contents data, characterized in that 
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oaid contcnto data providing apparatuo gcncratco a 

contcnto — data — di o tribution — key — baaed — en: — a — diotribution — key 

generation maotcr key f-e^f generating a contents data 

diotribution — key — used — f-ei? — encryption — processing — en — contcnto 
data and a contcnto — identifier, — which io — fe-he — identifier of — the 
provided — contents — data — and — cxccutco — encr^tion — processing — en 
said contcnto data, — a nd 

said contents data utilization apparatus being operable 

to generates a — said contents data distribution key based on 

said distribution key generation master key and a said 

contents identifier-? — which — is — the — identifier — &€ — the — provided 

contents data and cxccutco decryption — processing — en said 

contents — data . 

65. (AMENDED) The data processing method system according to 
Claim 64, characterized in that where in : 

—said contents data providing apparatus has a 

plurality of — different — diotribution key generation master kcyo 

t-e generate a plurality ef different contcnto data 

diotribution kcyo , — generates a plurality of different contents 
data distribution keys based on oaid a plurality of different 
distribution key generation master keys and said contents 
identifier, executes said encryption processing using said 
plurality of different contents data distribution keys^_ 
generated — and generates encryption contents data having e#a 
plurality of types— j_ and 

said contents data utilization apparatus has at 
least one of said diotribution — key — generation — maotcr — key — e# 
the — plurality of different distribution key generation master 
keys^_ — owned — by — said — contcnto — data — providing — apparatuo and 
decrypts only said encryption contents data formed by a 

distribution key generated using fcrhe oamc one of said 

different distribution key generation master key s that is the 
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same as fe-he — a distribution key generation master key owned by 
the own an apparatus . 

66. (AMENDED) A data processing method in a data processing 
system configured by a plurality of data processing 
apparatuses , said method comprising : 

a — step — e># — storing-? — fey — data — processing — apparatus — Arr 
which is — one of — said plurality of data processing apparatuses , 
irR — a — storage — medium contents data in a storage medium, said 
contents data being encrypted using a contents key — generated 
based on a — contents — key generation master key and being stored 
by a data processing apparatus A, and said contents key being 
generated based on a contents data generation master key — fee 
generate — a — contents — key — used — for — encryption — processing — e# 
contcnts — data and fehe — an apparatus identifier of said data 
processing apparatus A; 

a — step — &€ — generating said thc same — contents key a-a 
said contents — key by with a differ e nt data processing apparatus 
B based on the — same said contents key generation master key as 
that — e# — said data processing — apparatus A and said thc apparatus 
identifier of — said data processing apparatus A ; and 

a — step — e£ — decrypting said thc contents data stored in 
said storage medium using said thc contents key generated by 
said data processing apparatus B. 

67. (AMENDED) A data processing method in a data processing 
system including a host device and a slave device subject to 
authentication processing by said host device, said data 
processing method comprising : 

a host — device ; — and 

a — slave — device — sub j cct — -fee — authent icat ion — processing — fey 

said host device, — characterized in that 

said slave device generates generat ing an 

authentication key in said slave device based on an 
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authentication key generation master key te generate aft 

authentication — key — used — fen? — authcnt i cat ion — processing — between 

the hoot device and a lave device and a slave device 

identifier, said authentication key being used for said 
authentication processing between said host device and said 
slave device, which — said slave device identifier beingi re the 
an identifier of said slave device^ 

and stor e s storing said thc authentication key 

generated in a memory in said slave device~j_ and 

oaid hoot device gencratco generat ing m said 

authentication key in said host device based on said 
authentication key generation master key and said slave device 
identifier-? — which io — the — identifier of — said slave — device ^ and 

cxccutco executing said authentication processing. 

68. (AMENDED) A re c or d i ng p r ogr am — providing medium recorded 
with that — supplies a computer program for to — execute executing 
encryption processing having certain actions to perform of — at 
least one of data encryption, data decryption, data 
verification, authentication processing and signature 
processing on a computer system, said computer — progra m act ions 
comprising : 

a — key — generating — step — e-f — generating individual keys 
ncccooary — to — execute — oaid — encryption — proccooing — based on oaid 
master keys te — generate — the — keys — used — for — oaid — encryption 
proccooing — and identification data — ef — the — apparatuo — ea? — data 
oubj ect — to encryption proccooing ; and 

aft encryption — proccooing step e£ — execut ing said 

encryption processing based on said thc individual keys 
generated in oaid key generating otcp . 

69. (AMENDED) A data processing apparatus that processes 
contents data supplied from a storage medium or communication 
medium, comprising: 
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a storage section that stores data processing 
apparatus identifiers ; 

a list verification section that extracts an illegal 
device list included in said thc contents data and executes 
collation between entries ine# said illegal device list and 
said data processing apparatus identifiers stored in said 
storage section; and 

a control section that terminates otopo executing 

processing of at least — cither one of reproduction of said 
contents data or processing of storage in a recording device 

when a the result of said thc collation processing i*i — said 

collation — processing — section — shows that said illegal device 
list includes information that matches said data processing 
apparatus identifiers . 

70. (AMENDED) The data processing apparatus according to 
Claim 69, characterised in that wherein: 

—said list verification section comprises an 
encryption processing section that executes encryption 
processing on said contents data; and 

said encryption processing section verifies the 
presence or absence of tampering in said illegal device list 
based on check values of said thc illegal device list included 
in said contents device and executes said collation processing 
only when said verification proves no tampering. 

71. (AMENDED) The data processing apparatus according to 
Claim 70, further comprising . an illegal device list check 

value generation key, character i a cd ±n that wherein said 

encryption processing section executes said encryption 
processing by applying said illegal device list check value 
generation key to illegal device list configuration data to be 
verified, generates illegal device list check values, executes 
collation between said illegal device list check values and 
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the illegal device list check values included in said contents 
data and thereby verifies the presence or absence of tampering 
in said illegal device list . 

72. (AMENDED) The data processing apparatus according to 
Claim 69, charactcrigcd in that where in : 

said list verification section comprises an 
encryption processing section that executes encryption 
processing on said contents data; and 

said encryption processing section executes 
decryption processing of the — an encrypted illegal device list 
included in said contents data to produce a decrypted illegal 
device list, and executes said collation proces s ing on said thc 
decrypted illegal device list — resulting — from — said — decryption 
processing . 

73 . (AMENDED) The data processing apparatus according to 
Claim 6 9 , charactcrigcd in that wherein : 

said list verification section comprises an 
encryption processing section that executes mutual 
authentication processing with a recording device to / from 
which and from which said contents data is transferred; and 

said list verification section extracts said thc 
illegal device list included in said contents data and 
executes said collation with said data processing apparatus 
identifiers stored in said storage section on condition that 
authentication with said recording device has been established 
through said mutual authentication processing executed by said 
encryption processing section. 

74. (AMENDED) A data processing method that processes 
contents data supplied from a storage medium or communication 
medium, comprising : 
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a — list extracting — step — e# — extracting an illegal 

device list included in said thc contents data; 

a — collation — processing — step — e# — executing collation 
between entries included in said thc illegal device list 

extracted i** said list extracting step and said data 

processing apparatus identifiers stored in a storage section 
in the a data processing apparatus; and 

a — step — e£ — stopping execution of processing of at 
least cither — one of reproduction of said contents data or 
processing of storage in a recording device when t^he — a result 
of said thc collation, processing — if* — said — collation — processing 
step shows that said illegal device list includes information 
that matches said data processing apparatus identifiers . 

75. (AMENDED) The data processing method according to Claim 

74, further comprising a verification step of 

verifying the presence or absence of tampering in 
said illegal device list based on check values of said thc 
illegal device list included in said contents data-? — ; and 

characterized — 2rn — that — said — executing said collation 
processing — step — executes — collation — processing only when said 
vcrif icat ion step verif ying step proves no tampering. 

76. (AMENDED) The data processing method according to Claim 

75, wherein charactcrizcd ±rt that said verification step 

comprising v erif ying step includes : 

a step e-£ executing encryption processing by 

applying an illegal device list check value generation key to 
illegal device list configuration data to be verified and 
generating illegal device list check values; and 

a step executing collation between said thc 

illegal device list check values generated and said thc illegal 
device list check values included in said contents data and 
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thereby verifying the presence or absence of tampering in said 
illegal device list. 


77. (AMENDED) The data processing method according to Claim 

74, further comprising a decrypting otcp ef executing 

decrypting processing on the — an encrypted illegal device list 
included in said contents data to produce a decrypted illegal 
device list—; and 

characterized in that said executing collation 

processing — s tep — executes said collation processing — on said thc 
decrypted illegal device list — resulting — from — said — decrypting 
step . 

78. (AMENDED) The data processing method according to 

Claim 74, further comprising a mutual aut hent i ca t i on 

processing s tep of 

executing mutual authentication processing with a 
recording device to / from which and from which said contents 
data is transferred- — characterized in that , wherein 

said collation — processing — stop — executes — collation 
processing — is performed on condition that authentication with 
said recording device has been established through mutual 

authent i cat ion processing executed in said mutual 

authentication processing step. 

79. (AMENDED) A contents data generation method , comprising : 

that gene rate-s ing contents data supplied from — a 

storage — medium — ea? — communication — medium — to a plurality of 
recorders / or a plurality of reproducers , said contents data 
being supplied from a storage medium or a communication 
medium; and 

s t or ing charact prized — in — that an illegal device list 
as the header information of the contents data, said illegal 
device list having who se — component data comprises — comprising 
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identifiers of said plurality of recorders/ or said plurality 
of reproducers , 

whereby said illegal device list which — will be 
excluded from the use of said contents data — i-s — otorcd — as — fcke 
header information of the contents data . 

80. (AMENDED) The contents data generation method according 
to Claim 79, characterized — i^t — that wherein illegal device list 
check values for a tampering check on said illegal device list 
are stored as the — said header information of said thc contents 
data . 

81. (AMENDED) The contents data generation method according 
to Claim 79, characterized — i-n — that wherein said illegal device 
list is encrypted and stored in said thc header information of 
said thc contents data. 

82 . (AMENDED) A recording program supply medium that 

supplies recorded with a computer program that allows a 

computer — system — fee — execute — for processing of contents data 
supplied from a storage medium or a communication medium, said 
computer program comprising: 

a list extracting — step — ef — extracting an illegal 

device list included in said thc contents data; 

a — collation — processing — step — e-f — executing collation 
between entries included in said thc illegal device list 

extracted ±n said list extracting atop and said data 

processing apparatus identifiers stored in a storage section 
in a the data processing apparatus; and 

a step e# stopping execution of processing of 

cithcr at least one of reproduction of said contents data or 
processing of storage in a recording device when thc a result 
°f said thc collation processing — in — said — collation — processing 
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step shows that said illegal device list includes information 
that matches said data processing apparatus identifiers . 

83. (AMENDED) A data processing apparatus that processes 
contents data supplied via a recording medium or a 
communication medium, comprising: 

an encryption processing section that executes 
encryption processing on said contents data; 

a control section that executes control over said 
encryption processing section; 

a system common key used for said encryption 
processing — ±tt — said — encryption — proccooing — ocction, which is 
common to othcr a plurality of data processing apparatuses 
using said contents data , said plurality of data processing 
apparatuses including said data processing apparatus ; and 

at least one of an apparatus-specific key-? — which — ±-s 
specific — fc-e — t h e — data — proccooing — apparatus — used — for — encryption 

proccooing ana- — oaid — encryption — proccooing — section — e^and an 

apparatus -specific identifier , said apparatus - specific key 
being specific to said data processing apparatus and said 
apparatus-specific identifier being used to generate said 
apparatus -specific key, characterized in that wherein 

said encryption processing section is configured to 
perform said encryption processing by applying — cither one of 
said system common key and o^e said apparatus-specific key 
according to the a utilization mode of said contents data. 

84. (AMENDED) The data processing apparatus according to 

Claim 83, characterized i-n that wherein said encryption 

processing section executes said encryption processing by 
applying cithcr said one of said system common key ando ae said 
apparatus-specific key according to utilization restriction 
information included in said contents data . 
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85. (AMENDED) The data processing apparatus according to 
Claim 83, further comprising — including a recording device for 
recording said contents data, characterized in that wherein: 

said encryption processing section, when said 

utilization mode restricts usage of impoocd — with — a — utilisation 
restriction — that said contents data — s hould — fee — used — only — for 
the to said own — data processing apparatus, generates — data to 
be stored in said recording device is generated by executing 
said encryption processing using said apparatus-specific kcy on 
#e^e said contents data; and 

where said utilization mode permits usage of- i?i — the 
case — where said contents data 4-s — also — made — available — fee — anfoy 
at least one of said plurality of data processing apparatuses 
other than said thc own data processing apparatus, said data t-e 
be — stored — ±¥t — said — recording — device — is generated by executing 
said encryption processing using said system common key on 
said contents data. 

86. (AMENDED) The data processing apparatus according to 
Claim 83, comprising — further including a signature key Kdev 

specific to the data processing apparatus and a system 

signature key Ksys , said signature key Kdev being specific to 
said data processing apparatus and said system signature key 
Ksys being common to said a: plurality of data processing 
apparatuses, characterized in that wherein: 

said encryption processing section, when . said 

contents data is stored in said — a recording device , said 
contents data being restricted to use by imposed — with — a 
utilization restriction that — said contents data should be used 

only the own said data processing apparatus, said 

encryption processing section generates an apparatus-specific 
check value through said encryption processing by applying 
said apparatus — specific — signature key Kdev to said contents 
data and, ; 
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when said contents data is stored in said recording 
device^ — with said contents data — also being made — available for 
use by at least one of said plurality of fee — an data processing 
apparatuses other than the — ewn said data processing apparatus, 
said encryption processing section generates an overall check 
value through said encryption processing by applying said 
system signature key Ksys to said contents data; and 

said control section performs control of storing 
said contents data in said recording device together with 
cither one of said apparatus - specif ic check value generated by 
3aid — encryption — processing — section — er and said overall check 
value — together — with — said — contents — data — ±n — 3aid — recording 
device . 

87. (AMENDED) The data processing apparatus according to 
Claim 83, comprising — further including a signature key Kdev 

specific fee the data processing apparatus and a system 

signature key Ksys , said signature key Kdev being specific to 
said data processing apparatus and said system signature key 
Ksys being common to asaid plurality of data processing 
apparatuses, characterized in that wherein: 

said encryption processing section, when said 

utilization mode restricts usage of contents — data — imposed with 
a — utilization — restriction — that said contents data should — be 
used — only — &en? — fehe — own — to said data processing apparatus , and 
said contents data is reproduced, said encryption processing 
section generates an apparatus-specific check value by 
applying said apparatus — specific — signature key Kdev to said 
contents data and executes — performing collation processing on 
said apparatus-specific check value generated and, j_ 

when said utilization mode permits usage of said 
contents data also — made — available — fee — etn — by at least one of 
said plurality of data processing apparatuses other than said 
the — own data processing apparatus^ and said contents data is 
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reproduced, said encryption processing section generates an 
overall check value — through oncr^tion — proccooing t^_ a PPlyi n 9 
said system signature key Ksys to said contents data and 
perfor ming^ collation processing on said overall check value 
generated ; and 

said control section generates reproducible 
decrypted data by continuing processing of said contents data 
by the" encryption processing section only when said collation 
processing on — with said apparatus-specific check value is 
established or when said collation processing on with said 
overall check value is established. 

88. (AMENDED) The data processing apparatus according to 

Claim 83, comprioing further including a recording data 

processing apparatus signature key master key MKdev and a data 

processing apparatus identifier IDdev, character i zed i*i 

that where in 

said encryption processing section generates a 
signature key Kdev a^ — the — data — proccsaing — apparatus — opecif ic 
key — through said encryption processing based on said data 
processing apparatus signature key master key MKdev and said 
data processing apparatus identifier IDdev. 

89. (AMENDED) The data processing apparatus according to 

Claim 88, characterized i-n that wherein said encryption 

processing section generates said signature key Kdev through 
DES encryption processing by applying said data processing 
apparatus signature key master key MKdev to said data 
processing apparatus identifier IDdev. 

90. (AMENDED) The data processing apparatus according to 

Claim 83, characterized in that wherein said encryption 

processing section generates an intermediate integrity check 
value by executing said encryption processing on said contents 
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data_^ and executes said encryption processing including 

applying one of said data — processing — apparatus — ^specific key 
^ — and said system common key to said intermediate integrity 
check value . 

91. (AMENDED) The data processing apparatus according to 

Claim 90, characterized i« that wherein said encryption 

processing section generates a partial integrity check value 
through said encryption processing on a partial data set 
containing at least one partial data item obtained by dividing 
said contents data into a plurality of parts and generates 
said intermediate integrity check value through said 
encryption processing on a partial integrity check value set 
data string containing said partial integrity check value 
generated . 

92 . (AMENDED) A data processing method for a data processing 
apparatus that processes contents data supplied via a 

recording medium or a communication medium, said method 

characterized by comprising: 

selecting , according to a utilization mode of said 
contents data, an encryption processing key from among either 
one — e>€ — an encryption processing system common key common — £o 
other — data — processing — apparatuses — using — said — contents — data — e-3? 
and an apparatus-specific key, said encryption processing 
system common key being common to a plurality of data 
processing apparatuses using said contents data, said 
plurality of data processing apparatuses including said data 
processing apparatus, and said apparatus-specific key which 

being 4rS specific to the said data processing apparatus 

according to the utilization mode of — said contents data ; and 

executing encryption processing by applying the said 
selected encryption processing key to said contents data. 
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93. (AMENDED) The data processing method according to Claim 

92, characterised if* that wherein said step of encryption 

proccooing — key — selecting said encryption processing key -&fee^ 
^ — a — atG P — e #includes selecting said encryption processing key 
according to utilization restriction information contained in 
said contents data. 

94 . (AMENDED) The data processing method according to Claim 
92, characterized — ana — fete ^further including : — the — processing — e# 
storing — contents — data — if* — the — recording device, 

when — imposed — with — a — utilization — restriction — that 
said — contents — data — s hould — fee — used — only — fo r — the — own — data 
processing — apparatus , — generates — generating data to be stored 
i n said — a recording device by executing said encryption 
processing using applying said apparatus-specific key feeon 
said contents data when said utilization mode restricts usage 
of said contents data to said data processing apparatus ; and 

— t h e — case — where — said — contents — data — i-s — also — made 
available — fee — a** — apparatus — other — than — the — own — data — proccooing 
apparatus , generating said data to be stored in said recording 
device i-s — generated — by executing said encryption processing 
using said encryption processing system common key on said 
contents data when said utilization mode permits usage of said 
contents data by at least one of said plurality of data 
processing apparatuses other than said data processing 
apparatus . 

95. (AMENDED) The data processing method according to Claim 
92 , characterized in that further including: 

when — said — contents — data — is — stored — i« — said — recording 

device imposed with a utilization restriction that said 

contents — data — should be — used — only — for — the — own — data — proccooing 
apparatus , the — processing — e£ — recording — contents — data — if* — the 
recording — device — generates — generat ing an apparatus -specific 


38 


check value through said encryption processing by_applying 
said an apparatus-specific signature key Kdev to said contents 
data when said contents data is restricted to use by said data 
processing apparatus and is stored in said recording device 
and, j_ 

when — said — contents — data — ars — stored — ±¥i — said — recording 
device — with — said — contents — data — also — made — available — fc-e — a** 

apparatus other than the own data processing apparatus , 

generates generating an overall check value through said 

encryption processing by applying said a system signature key 
Ksys to said contents data when said contents data is 
available for use by at least one of said plurality of data 
processing apparatuses other than said data processing 
apparatus and is stored in said recording device ; and 

cither — one — of — said — apparatus — specific — check — value 

generated — said — overall check — value is stored — storing 

together — with — said contents data in said recording device 
together with one of said apparatus-specific check value and 
said overall check value . 

96. (AMENDED) The data processing method according to Claim 
92 , characterised in that further including: 

—when reproducing said contents data , wherein said 
utilization mode restricts usage of imposed with a utilization 
restriction — that — said contents data should — be — used — only — for 
fefee own — by said data processing apparatus — ia — reproduced, — fefee 
contents data reproducing processing ^ 

generates generating an apparatus-specific check 

value through said encryption processing b^_applying said — an 
apparatus-specific signature key Kdev to said contents data_^ 
and 

executes — performing collation processing on said 
apparatus-specific check value generated and _^ 
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- t — when reproducing said contents data , wherein said 

utilization mode permits usage of said imposed with a 

utilization — restriction — that — the contents data i-s — also — made 
available — fee — etn — by at least one of said plurality of data 
processing apparatuses other than the own said data processing 
apparatus is — reproduced, ^ 

g e nerate s — generating an overall check value through 
said encryption processing by applying said a system signature 
key Ksys to said contents data^ and 

performs — performing collation processing on said 
overall check value generated ; and 

contents data ±-s reproduced reproducing said 

contents data only when said collation processing on wjrfeh said 
apparatus-specific check value is established or when said 
collation processing on with said overall check value is 
established. 

97 . (AMENDED) The data processing method according to Claim 
92, further comprising a — step — &€ — generating a signature key 
Kdev ars — the — data — processing — apparatus — specific — key — through 

said encryption processing based on a data processing 

apparatus signature key master key MKdev and a data processing 
apparatus ident i f ier IDdev . 

98. (AMENDED) The data processing method according to Claim 
97, charac tori zed — arn — that wherein said step of generating said 
signature key Kdev generating — stop — 3^s — a — step — — generating 

said signature ' key Kdev through includes DES encryption 

processing by applying said data processing apparatus 
signature key master key MKdev to said data processing 
apparatus identifier IDdev . 

99. (AMENDED) The data processing method according to 
Claim 92, further comprising a step e£ generating an 
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intermediate integrity check value by executing said 
encryption processing on said contents data, — char actcri zed — by 
executing said encryption processing including applying one of 
said data — processing apparatus^ — specific key oa? — and said 
system common key to said intermediate integrity check value . 

100. (AMENDED) The data processing method according to 
Claim 99, characterized by further including : 

generating a partial integrity check value through 
said encryption processing on a partial data set containing at 
least one partial data item obtained by dividing said contents 
data into a plurality of parts^_ and 

generating e&t said intermediate integrity check 

value through said encryption processing on a partial 
integrity check value set data string containing said partial 
integrity check value generated . 

101. (AMENDED) A recording program — supply medium that — supplies 
recorded with a computer program for a data processing 
apparatus, said computer program allowing — a — computer — syst e m — to 
execute — data processing that — proce s s e s contents data supplied 

via a recording medium or a communication medium, said 

computer program comprising the — s teps of : 

selecting , according to a utilization mode of said 

contents data, a key from among cither an encryption 

processing key, an encryption processing system common key 

common be other data processing apparatuses using said 

contents data e*r and an apparatus -specific key, said 

encryption processing system common key being common to a 
plurality of data processing apparatuses using said contents 
data, said plurality of data processing apparatuses including 
said data processing apparatus, and said apparatus-specific 
key being which ars specific to the said data processing 
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apparatus — according — fee — fehe — utilisation — mode — e-i — oaid — contcnta 
data ; and 

executing encryption processing by_applying said thc 
selected encryption processing key to said contents data. 

102. (AMENDED) A data processing apparatus that processes 
contents data supplied via a recording medium or a 
communication medium, comprising: 

an encryption processing section that executes 
encryption processing on said contents data , said encryption 
processing section being configured to generate a contents 
check value in units of contents block data included in said 
contents data and to execute collation processing on said 
contents check value and thereby execute verification 
processing as to the validity of each of said units of 
contents block data ; and 

a control section that executes control over said 
encryption processing section- — characterized in that _;_ 

said encryption processing — section — — configured to generate a 
contents — check — value — ±a — units — e# — contents — block — data — fee — be 

verified included ifi the data , execute collation — the 

contents check value generated and thereby execute 

verification processing — en — the validity of — each — contents — block 
data — in oaid data. 

103 . (AMENDED) The data processing apparatus according to 
Claim 102, comprising further including a contents check value 
generation key, characterized — i-n — that — wherein said encryption 
processing section generates a contents intermediate value 
based on said contents block data fee — be — verified — and said 
encryption processing system generates a — said contents check 
value by executing encryption processing applying said 


42 


contents check value generation key to said contents 
intermediate value . 

104. (AMENDED) The data processing apparatus according to 
Claim 103, characterised in that wherein: 

—when the said contents block data fee — be — verified is 
encrypted, said encryption processing section generates a— said 
contents intermediate value by executing predetermined 
operation processing on an entire decrypted statement in units 
of a predetermined number of bytes, said entire decrypted 
statement being obtained through by decryption processing of 
said contents block data — in units — &€ — a predetermined number of 
bytes , — ; and 

when said thc contents block data fee — be — verified — is 
not encrypted, said encryption processing section generates a: 
said contents intermediate value by executing said 
predetermined operation processing on the — said entire contents 
block data in said units of a — said predetermined number of 
bytes . 

105. (AMENDED) The data processing apparatus according to 

Claim 104, characterized in that wherein said predetermined 

operation— _proces sing applied — in — said — interm e diat e — integrity 

check value generation processing by said encryption 

processing section is an exclusive-OR operation. 

106. (AMENDED) The data processing apparatus according to 
Claim 104, characterised in that wherein: 

—said encryption processing section has an 
encryption processing configuration in a CBC modej_ and 

said decryption processing applied — fee — fehe — content 
intermediate — value — generation — processing — when — the — contents 
block data to be verified is decryption processing in said CBC 
mode . 
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107 . (AMENDED) The data processing apparatus according to 

Claim 106, characterized ±n that wherein the said encryption 

processing configuration in said CBC mode e£ — oaid — encr^tion 
proccooing — occt ion — is a configuration in which common key 
encryption processing is applied a plurality of times only to 
part of a message string to be proccoacd . 

108. (AMENDED) The data processing apparatus according to 
Claim 102, characterised — i** — t hat where in , when the said contents 
block data contains a plurality of parts and 3omc a portion of 
said plurality of parts included — ±n — said — contcnto — block — data 
arc is to be verified, said encryption processing section 
generates a — said contents check value based on said parto 
portion__to be verified, and executes said collation processing 
on the said contents check value generated and thereby executes 
verification — processing — en — the — validity — in — units — e€ — content 
block data — in said data . 

109. (AMENDED) The data processing apparatus according to 
Claim 108, char actcri zed — if* — that wherein, when — said — contents 
block — data — contains — a — plurality — e-i — parts — and — art — ars — one — part 
that needs — to be verified, — when said portion is encrypted: 

said encryption processing section generates a — said 

contents check value by executing encryption proccooing 

applying the — a_contents check value generation key to a value 
obtained by carrying out an exclusive-OR in units of a 
predetermined number of bytes on the — an entire decrypted 
statement , said entire decrypted statement being obtained by 
decryption processing of parto — fc-e — be — verif icd said portion 4r& 
the case where said parts to be verified io encrypted, — ; and 

when said portion is not encrypted: 

said encryption processing section generates a said 
contents check value by executing encryption proccooing 
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applying said contents check value generation key to a — said 
value obtained — fey — carrying — out — em — exclusive OR — ±n — units — e£ — a 

predetermined — number — of — bytes en said — entire — part fere — fee 

verified in — th e — ca s e — wher e — said — parts — te — fee — verified — i-s — not 
encrypted . 

110. (AMENDED) The data processing apparatus according to 
Claim 108, characterized — in — that wherein, when said contents 
block — data — contains — -a — plurality — of — part s — and — it — i-s — a — portion 
of said plurality of parts that — needs to be verified, said 
encryption processing section applies a contents check value 
generation key to said portion of said plurality of parts to 
obtain a parts check value u3cs , as a contents — check value, — t h e 
result — obtained by — executing — encryption — proce going app l ying ies 
said contents check value generation key to link data of a: 
said parts check value to obtained — obtain a result, and uses 
said result fe y — executing — e ncryption — proc e s s ing — applying — aas 
said contents check value generation key to each part . 

111. (AMENDED) The data processing apparatus according to 

Claim 102, characterized i« that wherein said encryption 

processing section further comprises a recording device for 
storing said contents data containing said units of contents 
block data whose validity has been verified. 

112. (AMENDED) The data processing apparatus according to 
Claim 111, characterized — ±¥t — that wherein, when said collation 

processing is not executed cotabliahcd in t-he collation 

processing on a — said contents check value — in — said — encryption 
processing section , said control section stops said storage in 
said recording device. 

113. (AMENDED) The data processing apparatus according to 
Claim 102, characterized ±^t that wherein said encryption 
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processing section further comprises a reproduction processing 
section for reproducing data whose validity has been verified. 

114. (AMENDED) The data processing apparatus according to 
Claim 113, charac tori sod — in — that wherein, when said collation 

processing is not executed cstablishcd in fehe collation 

processing — on a — said contents check value — in — said — encr^tion 

processing section , said control section stops said 

reproduction processing in said reproduction processing 

section. 

115. (AMENDED) A data processing method that processes 
contents data supplied via a recording medium or a 
communication medium, characterized by comprising : 

—generating a contents check value in units of 

contents block data fee be verified included in said thc 

contents da t a^ — ; and 

executing collation processing on said thc contents 

check value generated and thereby executing verification 

processing en thc as to the validity ofin said units of 

contents block data in said data . 

116. (AMENDED) The data processing method according to 
Claim 115, charactcri zed by further including: 

—generating a contents intermediate value based on 
said contents block data to be verified ^ and 

generating a — said contents check value by executing 
encryption processing by applying said contents check value 
generation key to said contents intermediate value generated . 

117. (AMENDED) The data processing method according to Claim 
115, characterised by further including : 

generating , — when the said contents block data fee — be 
verified — is encrypted, generating a contents intermediate 
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value by executing predetermined operation processing on an 
entire decrypted statement in units of a predetermined number 
of bytes, said entire decrypted statement being obtained 
by through decryption processing of said contents block data in 
units of a predetermined number of bytes, — ; and 

generating, — when the said contents block data — be 

verified is not encrypted, generating a said contents 

intermediate value by executing said p redetermined operation 
processing on said thc entire — contents block data in said units 
°f a — said predetermined number of bytes. 


118. (AMENDED) The data processing method according to 

Claim 117, characterized — that wherein said predetermined 

operation processing applied — ±^=t — said — intermediate — integrity 

check value generation processing is an exclusive -OR 

operation . 

119. (AMENDED) The data processing method according to 
Claim 117, characterized — 3rH — that — i-R — said — contents — intermediate 
value — generation proce s sing, wherein said decryption processing 

applied fee the content intermediate value generation 

processing — when — t h e — contents — block — data — fee — be — verified — 3rS 
encrypted is decryption processing in a CBC mode. 

120. (AMENDED) The data processing method according to 

Claim 119, charac tori zed that wherein, in said step of 

decryption processing — configuration in said CBC mode, common 
key encryption processing is applied a plurality of times only 
to part of a message string to be processed . 

121. (AMENDED) The data processing method according to 
Claim 115, charac tori god — fey — further including, generating, 
when said thc contents block data contains a plurality of parts 
and some a portion of said plurality of parts included in said 
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contcnta — block — data — arc is to be verified, generating a — said 
contents check value based on said portionfe he to be verified 

prior to executing said parts fee- — be — verified, executing 

collation processing on the said— contents check value generated 
and — thereby — executing — vcrif icat ion — proccaaing — eft — the — validity 
in unito of — content block data — in oaid data . 

122. (AMENDED) The data processing method according to 
Claim 121, characterized by further including: 

when said portion is encrypted: 

performing decryption processing of said portion to 
obtain an entire decrypted statement, 

carrying out an exclusive-QR operation in units of a 
predetermined number of bytes on said entire decrypted 
statement , and 

generat ing-? — when — th e — contcnta — bloclc — data — containo — a 

plurality — e-f — parts — and — it: ie — one — part — that — nccda — fee — be 

v e rifi e d, — a said contents check value by executing encryption 

processing — applying the — a contents check value generation key 

to a value obtained by carrying out an said exclusive-OR 

operation; and 

when said portion is not encrypted: 

in — units — e£ — a — predetermined — number — ef — bytes — en — the 
entire — decrypted — statement — obtained — by — decryption — proccaoing 
ei — parts — fee — be — verified — in — th e — case — where — oaid — part — fee — be 
verified — ie — encrypted, — and — generating a — said contents check 

value by executing encryption processing applying said 

contents check value generation key to a — said value — obtained 
by — carrying — eufe — an — exclusive OR — in — units — e£ — a — predetermined 
number of by too on oaid entire part — to be verified in the caoc 
where oaid part — to be verified is not — encrypted . 

123. (AMENDED) The data processing method according to 
Claim 121, characterized — by — using, — when — said — contents — bloclc 


48 


data — contains — a — plurality — — parto — and — tt — 3rs — a — plurality — e# 
parto — that — needs — to — be — verified, — as — a — conten ts — check — value , 
the — result — obtained by — executing — encryption proccooing — further 
applying — said contents — check value — generation key to — link data 

o£ a parts check — value obtained — by — executing — encryption 

processing applying — the — contents — check value — generation 3ccy to 
each part further including: 

applying a contents check value generation key to 
each of said plurality of parts to obtain a parts check value; 

further applying said contents check value 
generation key to link data of said parts check value to 
obtain a result; and 

using said result as said contents check value . 

124 . (AMENDED) The data processing method according to 
Claim 115, further comprising — a — step — e# including storing said 
contents data containing said units of contents block data 
whose validity has been verified. 

125. (AMENDED) The data processing method according to 

Claim 124, characterized in — fefea^ further including stopping 

said storing of said contents data when said collation 

processing is not executed catablished i*i the collation 

proccooing on a — said contents check value-; said — control 

section stops — storage — in oaid recording device . 

126. (AMENDED) The data processing method according to 
Claim 115, further comprising — a — otcp — e# including reproducing 
data whose validity has been verified. 

12 7. (AMENDED) The data processing method according to 

Claim 126, characterized — by f urther including stopping said 
reproduction — processing when said collation processing is not 
executed cstabliohcd on a— said contents check value. 
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128. (AMENDED) A contents data verification value assignment 
method for contents data verification processing, 
characterized by comprising : 

—generating a contents check value in units of 
contents block data — fee — fee — verified , said contents block data 
being included in said thc contents data- — ; and 

assigning said th c contents check value generated — to 
said contents data — containing — the — contents — block — data — fee — fee 
vcrif icd . 

129. (AMENDED) The contents data verification value 
assignment method according to Claim 12 8, characterized — i** 
that wherein said contents check value is generated through 
encryption processing by_applying the — a contents check value 
generation key using said thc contents block data to be — checked 
as a message. 

130. (AMENDED) The contents data verification value 
assignment method according to Claim 12 8, charactorized — ±*i 
that wherein : 

said contents check value is generated by 
generating a contents intermediate value based on said thc 
contents block data — fee — fee — verified and executing — encryption 
processing — applying a said contents check value generation key 
to said contents intermediate value. 

131. (AMENDED) The contents data verification value 
assignment method according to Claim 12 8, char actcri zed — ±& 
that wherein said contents check value is generated by 
executing encryption processing on said contents block data in 
a CBC mode on the — contents block data to be verified . 
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132. (AMENDED) The contents data verification value 
assignment method according to Claim 131, characterized — ±t± 
that wherein said encryption — proccooing — c o nf i gurat ion — &n — CBC 
mode is a configuration in which common key encryption 
processing is applied a plurality of times only to part of a 
message string to be prooooocd . 

133. (AMENDED) The contents data verification value 
assignment method according to Claim 128, character! zed — fey 
generating, — whenwhe rein said thc contents, block data contains a 
plurality of parts and some — parts — included — — said — contents 
block — d^fcra a portion of said plurality of parts arc — is to be 
verified, said method further comprising: 

generating a — said contents check value based on 
said thc parts — to be verif ied portion,- and 

assigning said thc contents check value generated — to 
said contents data — containing — the — content — bloclc — data — fere — fee 
verified . 

134. (AMENDED) The contents data verification value 
assignment method according to Claim 133, characterized 
b yf urther including : 

when said portion is encrypted: 

performing decryption processing of said portion to 
obtain an entire decrypted statement, 

carrying out an exclusive-OR operation in units of a 
predetermined number of bytes on said entire decrypted 
statement to obtain a value, and 

generating said contents check value by applying a 
contents check value generation key to said value; and 

when said portion is not encrypted: 

generating said contents check value by applying 
said contents check value generation key to said value. 
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generating, when — oaid — contcnto — block — data — containo — a 
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verified, a contcnto — 
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encrypted, generating — 
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applying oaid contents check value 

generation key fee a— 

exclusive OR — in — unito — 
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135. (AMENDED) The contents data verification value 

assignment method according to Claim 133, characterized — by 
using, — when — oaid — contcnto — block — data — contains — a — plurality — e# 

parts — and — ife i-s — a — plurality — ef — parto that — needs — fee — be 

verified, — ae — a — contcnto — chcclc — value , — the — rcoult — obtained — by 
executing — encryption — proccoaing — further — applying — oaid — contents 
chcclc value — generation — key — fee — link — data — e£ — a parto — chcclc value 

obtained by executing encr^tion proccoaing applying the 

contcnto — chcclc value — generation key to — each part — and assigning 
the — contcnto — check value — generated — fee — contcnto — data — containing 
the contcnto block data to be verified. further including: 

applying a contents check value generation key to 
each of said plurality of parts to obtain a parts check value; 

further applying said contents check value 
generation key to link data of said parts check value to 
obtain a result ; and 

using said result as said contents check value. 
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136. (AMENDED) A recording program oupply medium that 

oupplico recorded with a computer program fee execute for 

executing data processing on contents data supplied via a 

recording medium or a communication medium, said computer 

program comprising : 

a — step — — generating a contents check value in units 
of contents block data fee — be — verified — included in thc said 
contents da t a ; and 

a — step — e£ — executing collation processing on thc said 

contents check value generated and thereby executing 

verification processing efi — feh eas to the validity if* — of said 
units of contents block data in said data . 

137. (AMENDED) A data processing apparatus for — executing 
processing — #e^e generating storing data with respect to a 
recording — device e# for recording content data, said content 
data including which hao a plurality of content blocks — in which 
afe — least — a — part — e# — the — blocks — a rc — encrypted and a header 
section , at least a part of said plurality of content blocks 
being encrypted and said header section being operable to 
store ing information on thc said contents blocks, said content 
data being structured by encryption key data Kdis [Kcon] stored 

in said header section, said encryption key data 

Kdis [Kcon] being formed by applying an encryption key Kdis to 

an encryption key Kcon, characterised in that said data 

processing apparatus comprising : 

if* — fehe — case — if* — which — content — data — fee — be an 

object — e-f — storage — if* — said — recording — device — is — structured — by 
data — stored — in said header — section, — which — is — an enc ryption key 
data — Kdis [Kcon] — that — is — an encryption key Kcon of — said content 
block applied encryption processing by an encryption key Kdio, 
said data processing apparatus has a structure 
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for — executing — processing — for — taking — out means for 
removing said encryption key data Kdis [Kcon] from said header 
section^ and 

means for executing decryption processing on said 
encryption key data Kdis [Kcon] to generate decryption data 
Kcon-? — j_ 

means for generating a — new encryption key data 
Kstr [Kcon] — that — ±& by applied — applying encr^tion — proccoo ing 
by an encryption key Kstr to said decryption data Kcon; 

means for storing said thc new encryption key data 
Kstr [Kcon] in said thc header section — e£ — said — content — data, — j_ 
and 

means for applying a different encryption key Kstr 

to said thc generated decryption data Kcon to execute 

decryption encryption processing . 

138. (AMENDED) A data processing apparatus for — executing 
processing — §035 generating storing data with respect to a 
recording — device for recording e# content data , which — has said 
content data including a plurality of content blocks 4r& — which 
arfe — lea s t — a — part — e£ — the — blocks — ar e — encrypted — and a header 
section , at least a part of said plurality of content blocks 
being encrypted and said header section being operable to 
store ing information on said thc contents blocks, said 
plurality of content blocks being composed of contents 
encrypted by an encryption key Kblc and encryption key data 
Kcon[Kblc] / said encryption key data Kcon [Kblc] being formed 
ky applying an encryption key Kcon to said encryption key 
Kblc, and said plurality of content blocks having a structure 
in which encryption key data Kdis [Kcon] is stored in said 
header section, said encryption key data Kdis [Kcon] being 
formed by applying an encryption key Kdis to said encryption 
key Kcon, characterized — ±rt — that said data processing apparatus 
comprising : 
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in — fehe — caoc — in — which — oaid — content — bloclc — included — in 

content — data — fee — fee — an — obj cct — &€ — storage — with — reapect — fee — oaid 

recording — device ie — compoocd — of contcnto — encrypted — by — an 

encryption key Kblc — and encryption key data — Kcon [Kblc] — that — are 
encrypted — by — fehe — encr^tion — key — Kcon, — and — hao — a — structure — in 

which — encryption — key — data — Kdis [Kcon] that — ±s — th e — encryption 

key — Kcon — applied — encr^tion — proccooing — by — an — encryption — key 
Kdio io otorcd in aaid header section, 

aaid data proccooing apparatuo hao a otructure 
fo r — execut ing — proccooing — — talcing — eufemeans for 
removing said encryption key data Kdis [Kcon] from said header 
section^ 

means for executing decryption processing on said 
encryption key data Kdis [Kcon] to generate decryption data 
Kcon-? — j_ 

means for generating a — -new encryption key data 
Kstr [Kcon] that — 3r& applied by applying cncryption proccooing by 
an encryption key Kstr to said decryption data Kcon; €tnd 

means for storing said new thc encryption key data 
Kstr [Kcon] in said thc header section of said content data— j_ 
and 

means for applying a different encryption key Kstr 

to said thc generated decryption data Kcon to execute 

decryption encryption processing . 

139. (AMENDED) A data processing apparatus for — executing 
proccooing — for generating storing data with respect to a 
recording — device for recording o# content data, which — hao said 
content data including a plurality of content blocks in — which 
art — leaot — a — part — e£ — fefee — blocko — enee — encrypted — and a header 
section , at least a part of said plurality of content blocks 
being encrypted and said header section being operable to 
store ing information on fehe said plurality of contents blocks, 
said plurality of content blocks being composed of contents 
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encrypted by an encryption key Kblc and encryption key data 
Kdis [Kblc] , said encryption key data Kdis [Kblc] being formed 
by applying an encryption key Kdis to said encryption key 
Kblc, said data processing apparatus comprising charactcrigcd 
in that : 

— the — case — 3rn — which — oaid — content — block — included — ±rt 

content — data — fee — be — an — obj cct — of storage — with — reapect — fee — said 

recording — device 3-s compoocd — en§ contents — encrypted — by — an 

encryption key Kblc — and — encryption key data Kdio [Kblc] — that — 3-s- 
encrypted by the encryption k e y Kdi3, 

o aid data processing apparatus has a structure 

means for removing #e3r ex e cuting processing for 

taking — art — said encryption key data Kdis [Kblc] from said — a 
content block section^ 

means for executing decryption processing of the said 
encryption key data Kdis [Kblc] Kblre to generate decryption 
data Kblc-? — 

means for generating an encryption key data 

Kstr[Kblc] that — i-s — applied. — encryption — processing by applying 
an encryption key Kstr and to said decryption data Kblc; 

means for storing the said encryption key data 
Kstr [Kblc] in a— said contents block section- — ; and 

means for applying a different encryption key Kstr 

to said thc generated decryption data Kblc to execute 

decryption encryption processing . 

140. (AMENDED) A content data generating method for 

generating content data, comprising: 

coupling a plurality of content blocks — compoocd — 
data including at least any — one of voice information, image 
information and program data; 

applying encryption processing to at least a part of 
said content blocks — included — 3rn — said — plurality — o# — content 
blocks by using an encryption key Kcon; 
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generating encryption key data Kdis [Kcon] by 
applying an encryption key Kdis to said encryption key Kcon; 
that — ±-s — oaid encryption key Kcon applied encryption proccooing 
by an encryption key Kdio — and 

storing the said encryption key Kdis in a header 
section of said content data; and 

generating said content data including said 
plurality of content blocks and th e said header section. 

141. (AMENDED) The content data generating method according 

to Claim 140, characterized =trt that oaid content data 

generating method further comprises including procc s sing of : 

generating block information that stores information 

including at least one of -?-: 

identification information on said content data^-^ 
usage policy information including a data length of 

the said content data and a data type of the said content datar 

and ^ 

information — including — a data length of at least one 
of said content blocks , and 

a presence or absence of encryption processings — jr_ 

and 

storing said thc block information in said header 

section. 

142. (AMENDED) The content data generating method according 

to Claim 140, characterized if* that said content data 

generating method further comprises proccooing of including : 

generating a part check value based on a part 
portion of information composing said header section^ and 

storing saidthe part check value in said header 
section; and 

generating a total check value based on said part 
check value; and 
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storing said thc total check value in said header 
section . 

14 3 . (AMENDED) The content data generating method according 
to Claim 142 , characterized — i** — fe towherein said steps of 
generation — generating proccgoing — e# — said part check value and 
generation generating processing — of said total check value are 
executed by applying a DES encryption processing algorithm 
with — using data to be — an — ob j cct — e# checked as a message and 
using a check value generation key as an encryption key. 

144. (AMENDED) The content data generating method according 

to Claim 141, characterized in that oaid content data 

generating method further comprisco including : 

applying said encryption processing to said block 
information by applying said encryption key Kdis to an fehe 
encryption key Kbit to form encryption key data Kdis [Kbit] ; 
and 

storing said thc encryption key data Kdis [Kbit] that 
irs — the — encryption — key — Kbit — generated — by — the — encryption — key 
Kdis in said header section. 

145. (AMENDED) The content data generating method according 
to Claim 140, characterized — — that wherein each block — of a 
said plurality of content blocks i« — said — content — block — is 
generated as a common fixed data length. 

14 6 . (AMENDED) The content data generating method according 
to Claim 140, characterized — ±n — that wherein each block — of a 
said p lurality of content blocks — i** — said content — block is 
generated — ets — a — configuration — in — which with an encryption data 

section and a non- encrypt ion data section a^ee arranged 

regularly . 
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147. (AMENDED) A content data generating method for 

generating content data^ comprising: 

coupling a plurality of content blocks each 
including at least any — one of voice information, image 
information and program data; 

composing at least a part of thc said plurality of 
content blocks by aft — encryption — data — section — that — i-s — data 

including at least any ene ef voice information, image 

information — and — program — da^e applying an encryption key Kcon 

to by — an encryption key Kblc-; and to obtain — a set of- 

encryption key data Kcon[Kblc] that — i-s — t-he — encryption key Kblc 
e€ — the — encryption — data — section — applied — encryption — processing 
by an encryption key Kcon ; 

generating encryption key data Kdis [Kcon] by 
applying an encryption key Kdis to J ^ka-fe — i-s — thc said encryption 
key Kcon — appli e d — encr^tion — processing — by — an — encryption — key 
Kdis j^ and 

storing said encryption key data Kdis [Kcon] in a 
header section of said content data; and 

generating said content data including a said 

plurality of content blocks and a — said header section. 


148. (AMENDED) A content data generating method for 

generating content data^ comprising: 

coupling a plurality of content blocks each 

including at least any one of voice information, image 

information and program data; 

composing at least a part of thc said plurality of 
content blocks by — aft — encryption — data — section applying an 
encryption key Kdis to an encryption key Kblc to obtain 
encryption key data Kdis [Kblc] : that — irs — data — including — at — least 

any — one — ef — voice — information, image — information — and — program 

data — fey — an — encryption — key — Kblc , — and — a — set — ef — encryption — key 
data Kdis [Kblc] that ars the encryption — key Kblc ef the 
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encryption — data — section — applied — encryption — proccoaing — fey — af* 
encryption key Kdio ; and 

generating said content data including a said 

plurality of content blocks and a header section of said 
content data . 

149. (AMENDED) A data processing method for executing 

processing — f-es? — storing content data in a recording device — e# 
content — data , said content data having a plurality of content 
blocks in which at — least — a part — of blocks — arc — encrypted, — and a 
header section , at least a part of said plurality of content 
blocks being encrypted and said header section being operable 
to store — in which ^information on the said plurality of content 

blocks — stored , said content data being structured by 

encryption key data Kdis [Kcon] stored in said header section, 
said encryption key data Kdis [Kcon] being formed by applying 
an encryption key Kdis to an encryption key Kcon, said method 
comprising: 

4rn — fche — case — in which — content — data — to be — an object — e# 
storage — i^n — said — recording — device — irs — structured — by — data — stored 

-3rn — said — header — section, which — ±-s — afi — encryption — key — data 

Kdis [Kcon] that — — a-n — encryption — key — Kcon — ef — said — content 
block applied encryption processing by an encryption key Kdio, 

talcing out removing said encryption key data 

Kdis [Kcon] from said header section ^ and 

—executing decryption processing on said encryption 
key data Kdis [Kcon] to generate decryption data Kcon; 

generating a-new encryption key data Kstr [Kcon] that 
•3rs — applied — encryption — processing — fey — afi — encryption — key — Kstr — by 

applying a dif f crcnt an encryption key Kstr to said the 

generated decryption data Kcon fee execute encr^tion 

processing ; and 

storing said generated — new encryption key data 
Kstr [Kcon] in a—said header section of — said content data, ; and 
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storing thc said header section in said recording 
device together with said plurality of content blocks. 


150. (AMENDED) A data processing method for executing 

proccooing — for storing content data in a recording device — e#^_ 
said content data having a plurality of content blocks — &n 
which — a^fe — least — a — part — e-i — blocko — arc — encrypted, and a header 
section , at least a part of said plurality of content blocks 
being encrypted and said header section being operable to 
store — ±¥i — which information on fehe said plurality of content 

blocks — i-s stored , said plurality of content blocks being 

composed of contents encrypted by an encryption key Kblc and 
encryption key data Kcon [Kblc], said encryption key data 
Kcon[Kblc] being formed by applying an encryption key Kcon to 
said encryption key Kblc, and said plurality of content blocks 
having a structure in which encryption key data Kdis [Kcon] is 
stored in said header section, said encryption key data 
Kdis [Kcon] being formed by applying an encryption key Kdis to 
said encryption key Kcon, said method comprising : 

in — the — case — in which — said — content — block s included — tft 
content — data — fc-e — be — an — ob j cct — &€ — storage — with — respect — fee — said 

recording — device i-s — composed — o€ contents encrypted — by — an 

encryption key Kblc — and encryption key data — Kcon [Kblc] — that — a-s 
encrypted — by — t h e — encryption — key — Kcon, — and — has — a — structure — in: 

which — encryption — key — data — Kdio [Kcon] that — i-s — t h e — encryption 

key — Kcon — applied — encryption — processing — by — an — encryption — key 
Kdis — ars stored in said header section , 

taking — : — out re mo v i ng said encryption key data 
Kdis [Kcon] from said header section^ and 

executing decryption processing on said encryption 
key data Kdis [Kcon] to generate decryption data Kcon; 

generating a— new encryption key data Kstr [Kcon] that 
is — applied — encryption — processing — by — an — encr^tion — key — Kstr — by 
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applying a dif foront n encryption key Kstr to said thc — generated 
decryption data Kcon to execute encryption processing ; and 

storing said generated new encrypt ion key data 

Kstr [Kcon] in a— said header section of oaid content data, ^ and 

storing the said header section in said recording 
device together with said plurality of content blocks. 

151. (AMENDED) A data processing method for executing 

processing — for storing content data in a recording device^ e-# 
said content data having a plurality of content blocks ift 
which — a-fc — least — a — part — e£ — blocks — ar c — encrypted, — and a header 
section , at least a part of said plurality of content blocks 
being encrypted, and said header section being operable to 
storej rfi — which information on the said plurality of content 

blocks i-s otorcd , said plurality of content blocks being 

composed of contents encrypted by an encryption key Kblc and 
encryption key data Kdis [Kblc] , said encryption key data 
Kdis [Kblc] being formed by applying an encryption key Kdis to 
said encryption key Kblc, said method comprising : 

in — the — cas e — in — which — said — content — block — included — in 
content — data — fe-e — be — an — ob j c ct — e£ — storage — with — respect — fee — said 

recording — device is — composed — &€ contents — encrypted — by — aft 

encryption key Kblc — and encryption key data — Kdis [Kblc] — that — is 
encrypted by the encryption key Kdis, 

taking out removing said encryption key data 

Kdis [Kblc] from said a content block section^ and 

executing decryption processing of the said the 
encryption key data Kdis [Kblc] K bie — to generate decryption 
data Kblc; 

generating an encryption key data Kstr [Kblc] that — is- 
applied — encryption — processing — by — an — encryption — key — Kstr — by 

applying a dif f crcnt an encryption key Kstr to said thc 

decryption data Kblc to execute — encryption processing ; and 
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storing said generated encryption key data 

Kstr[Kblc] in a said content block section^ — ; and 

storing said thc content block section in said 
recording device together with said plurality of content 
blocks . 

152 . (AMENDED) A program providing recording medium for 

providing recorded with a computer program cauoing — generation 
processing — e# for generating storing data with respect to a 
recording device o# f or recording content data, said content 
data which has including a plurality of content blocks in which 
a£ — least — a — part — of — the — blocks — arc — encrypted — and a header 
section , at least a part of said plurality of content blocks 
being encrypted and said header section being operable to 
storing — store information on the said contents blocks, said 
content data being structured by encryption key data 
Kdis [Kcon] stored in said header section, said encryption key 
data Kdis [Kcon] being formed by applying an encryption key 
Kdis to an encryption key Kcon, to be — executed — en — a — computer 
system, — characterized in that : 

said computer program compriscs comprising : 

in the — case — in which — content — data — to be — an object — e# 
storagc — in — said — recording — device — is — structured — by — data — stored 

in — oaid — header section, which — is — an encr^tion — key — data 

Kdis [Kcon] that — is — aft — encryption — key — Kcon — e-f — oaid — content 
block applied encryption processing by an encryption key Kdio, 

a — step — &€ — taking — out removing said encryption key 
data Kdis [Kcon] from said header section^ and 

executing decryption processing on said encryption 
key data Kdis [Kcon] to generate decryption data Kcon; 

generating a— new encryption key data Kstr [Kcon] that 
is — applied — encryption processing by an — encryption — key — Kotr by 
applying a dif f crcnt an encryption key Kstr to said thc 
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generated decryption data Kcon fee execute encryption 

processing ; and 

storing said new generated encryption key data 

Kstr [Kcon] in a-said header section of — said content data . 


153. (AMENDED) A data processing apparatus for performing 
reproduction — processing — e# reproduc ing content data , said 
content data including compressed contents and an expansion 
processing program of said compressed contents, and being 
provided by a storage medium or a communication medium, 
characterised by said data processing apparatus comprising : 

a content data analyzing section for executing 

content data analysis of said content data — including 

compressed contents and ansaid expansion processing program of 
said compressed contents, and being operable to executing 

extract ion — processing — e-f the said compressed contents and 

the said expansion processing program from said content data; 
and 

an expansion processing section for executing 
expansion processing of the said content data included — in — 3aid 

content data using an said expansion processing program 

included — in — the — content — data — obtained — ars — a — r e sult — e-f — t he 
analysis — e-f — said content — data — analyz ing — section . 

154. (AMENDED) The data processing apparatus according to 
Claim 153, characterized by further comprising including : 

a data storing section for storing the said 
compressed contents — that — arc — extracted — fey — said — content — data 
analyzing section ; and 

a program storing section for storing the said 
expansion processing program — extracted — fey — said — content — data 

analyzing section , and characterized in that wherein said 

expansion processing section has a configuration for executing 
said expansion processing with respect to the said compressed 
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contents — stored — in — said — data — storing — ocction by applying 
thc said expansion processing program stored — in — said — program 
storing — section to thc said compressed contents. 

155. (AMENDED) The data processing apparatus according to 
Claim 153, characterized — in — that wherein said contents data 
analyzing section has a configuration for obtaining a 
configuration information of said content data based on header 
information included in said content data^ and said content 
data analyzing section is operable to perform4ftg analysis of 
thc said content data . 

156. (AMENDED) The data processing apparatus according to 
Claim 155, characterized in that wherein: 

—reproduction priority information of thc said 
compressed contents is included in said header information^ 
and— 

if there are a plurality of compressed contents that 

i-s ob j octs e£ expansion processing — if* said expansion 

processing — section , said expansion processing section has a 
configuration for sequentially executing content expansion 
processing in accordance with the — priority — based — en thc said 
reproduction priority information — in — fc&e — header — information 
obtained in said content — data analyzing section . 

157. (AMENDED) The data processing apparatus according to 
Claim 153, characterized by further comprising including : 

displaying means for displaying information of 
said thc compressed contents — that — are — ob j ecto — &€ — expansion 
processing ; and 

inputting means for inputting reproduction contents 
identification data selected from the — content — said information 

displayed on said displaying means, and characterized in 

that wherein said expansion processing section has a 
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configuration for executing said expansion processing of 
thc said compressed contents corresponding to said thc 

identification data based gr fehe reproduction contents 

identification data inputted from said inputting means , 

158. (AMENDED) A data processing apparatus for performing 

reproduction processing e# reproduc ing content data , said 

content data including one of compressed contents and an 
expansion processing program, and said content data being 
provided by a storage medium or a communication medium, 
characterised by said data processing apparatus comprising: 

a content data analyzing section for receiving said 
content data — including cither — compr cooed contents — — expansion 
proces s ing — program , said content data analyzing section being 
operable to distinguishing whether thc said content data hao 
thc includes said compressed contents or thc said expansion 
processing program from header information included in thc said 
received content dataj_ and, — arfe — the — same time, 

if the said content data has includes said the 

compressed contents, said content data analyzing section being 
operable to analyze obtaining a type of a compressing 
processing program applied to thc said compressed contents from 
thc said header information of the content data,j ^ and 

if thc said content data has includes said the 

expansion processing program, said content data analyzing 
section being operable to analyze obtaining — a type of — the 
expansion processing program from thc said header information 
of the content data ; and 

an expansion processing section for executing 
expansion processing of thc said compressed contents, 
characterized — i« — that — said expansion processing section ha o 
having a configuration for selecting etn — a specific expansion 

processing program applicable to thc said type of fcfee 

compression processing program £he comprcoocd — contents 
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analysed — by — said — content — data — analysing — occt ion based on 
the said type of — fefee expansion processing program — analysed — by 
said — content — data — analysing — occt ion , and being operable to 
execute ing said expansion processing by using said specific 
the — oclcctcd expansion processing program. 

159. (AMENDED) The data processing apparatus according to 
Claim 158, characterised by further comprioing including : 

a data storing section for storing trhe said 
compressed contents that — a^?e — cxtractcd analyzed by said content 
data analyzing section; and 

a program storing section for storing said 
specif ic the expansion processing program — extracted — by — oaid 

content data analysing section , and characterised in 

that wherein said expansion processing section has a 
configuration for executing said expansion processing with 
respect — fee — tke — compressed — contents — stored — in — oaid data — otoring 
occt ion — by applying the said specific expansion processing 
program otorcd — in — oaid — program — otoring — occt ion — to the said 
compressed contents . 

160. (AMENDED) The data processing apparatus according to 
Claim 158, characterised in that further including: 

—reproduction priority information o€ associated 

with the said compressed contents , said reproduction priority 
information being io included in said header information^ and— 

if there are a plurality of compressed contents that 
4-s — ob j ccto — &€ — expansion — proccooing , content — said expansion 

processing 3rn oaid expanoion proccooing section has a 

configuration for sequentially executing content said 

expansion processing in accordance with the — priority baocd — en 

the said reproduction p riority information ±n fehe header 

information obtained in oaid content data analysing ocction . 
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161. (AMENDED) The data processing apparatus according to 
Claim 158, characterized by further comprising including : 

retrieving means for retrieving etn — said specific 
expansion processing program, a**d — characterized — — that — oaid 

retrieving mcano has a conf igurat ion for retrieving aft 

cxpanoion — proccooing — program — applicable — fee — a — type — ef the 

compression — proccooing — program — &€ fefee compressed contents 

analyzed by said content data analyzing ocction ; and 

with program storing means accessible by said data 
processing apparatus as an object of retrieval. 

162. (AMENDED) The data processing apparatus according to 
Claim 158, characterized by further comprioing including : 

displaying means for displaying information of 
the said compressed contents — that — ar e — ob j ccts — &€ — expansion 
processing ; and 

inputting means for inputting reproduction contents 
identification data selected from the — content — said information 

displayed on said displaying means, and — characterized 

that wherein said expansion processing section has a 
configuration for executing said expansion processing of 
the said compressed contents corresponding to said reproduction 

contents identification data inputted from said inputting 

mcano . 

163. (AMENDED) A data processing method for 
reproducing per forming — reproduction processing — e# content data^ 
said content data including compressed contents and an 
expansion processing program of said compressed contents, said 
content data being provided by a storage medium or a 
communication medium, characterized by said method comprising: 

a — content — data — analyzing — otcp — e-i — executing content 
data analysis of said content data including compreooed 
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contents and etn cxpanoion processing program e# oaid 

compressed contcnta , contentsj_ and 

executing extract ingen proccoaing e-i the said 

compressed contents and thc said expansion processing program 
from said content data; and 

an — cxpanoion — proccoging — otcp — e-f — execut ing expans ion 
processing of thc said compressed content included — in — oaid 

content data using an said expansion processing program 

included — i« — fcfee — content — data — obtained — a-s — a — result — ef — the 
analysis of said content data analyzing step . 

164 . (AMENDED) The data processing method according to Claim 
163, characterized by further comprioing including : 

a — data — storing — step — ef — storing thc said extracted 
compressed contents that — arc — extracted — by said — content — data 
analyzing step ; and 

a — program — storing — step — ef — storing thc said extracted 
expansion processing program extracted — fey — said — content — data 

analyzing section , and characterized in that wherein said 

expansion processing section has — a — configuration — f or — executing 

cxpanoion proccooing is executed with respect to thc said 

compressed contents otorcd in said — data otoring otcp — by 

applying thc said expansion processing program otorcd — in — said 
program otoring otcp to thc said compressed contents. 

165. (AMENDED) The data processing method according to Claim 

163 , characterized in that said contents data analyzing 

o^ep further including : 

— obtaine ing a configuration information of said 

content data based on header information included in said 

content data and prior to executing said content data 

analysis pcr forms — analysis — e>f — the content data . 
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166. (AMENDED) The data processing method according to Claim 
16 5, characterised in that wherein: 

—said rcproduct ion priority information e# the 

compressed contents includes reproduction priority information 
is included in said header information^ and— 

if there are a plurality of compressed contents that 

■is obj ccta — — e§ expansion processing in said expanoion 

processing section , said expansion processing step 

sequentially executes content expansion processing in 
accordance with th e — priority — based — en — the said reproduction 
priority information — in — the — header — information — obtained — in 
said content data analyzing step . 

167. (AMENDED) The data processing method according to Claim 
163, characterized by further comprising including : 

displaying — step — ef — displaying information of the said 
compressed contents that — arc — obj ccta — ef — expansion — processing 
on displaying means ; and 

inputting — step — e£ — inputting reproduction contents 
identification data selected from the — content said display and 

information displayed en said displaying means , and 

characterized — in — that , wherein said expansion processing step 
executes — expansion — processing — ef — the — compre s sed — contcnts is 
performed corresponding to saidthe — identification — data — based 
en — reproduction contents identification data — inputted — from 
said inputting step . 

168. (AMENDED) A data processing method for performing 

reproduction — processing e# reproducing content data , said 

content data including one of compressed contents and an 
expansion processing program, said content data being provided 
by a storage medium or a communication medium, charac tori zed 
by said method comprising: 
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a — content — data — analysing — otcp — of — receiving said 
content data — including — cither — compressed — contents — — expansion 
proccooing program, j_ 

distinguishing whether the said content data has 
thc includes said compressed contents or the said expansion 
processing program from header information included in the 
said received content data ^ and, — at — the same time. 

if the said content data hao thc includes said 

compressed contents, obtaining analyzing a type of a 

compressing processing program applied to the said compressed 

contents from the said header information of fcnhe — content 

data , j_ and 

if the said content data includes said has the 

expansion processing program, obtaining analyzing a type of 

t&e expansion processing program from the said header 

information of the content data ; 

a selecting step of selecting em a specific 

expansion processing program applicable to the said type of the 

compression processing program of the — compressed — contents 

analyzed — i-n — said — content — data — analyzing — step — based on the said 
type of — fciie expansion processing program — analyzed — ±n — said 
content data analyzing step ; and 

— expansion — processing — step — ef — exe c u t i ng expans i on 
processing fey — using said specific trhe expansion processing 
program selected in said selecting step . 

169. (AMENDED) The data processing method according to Claim 
168, characterized by further comprising including : 

a — data — storing — step — e£ — storing the said compressed 
contents — that — arc — extracted — fey — said — content — data — analyzing 
section ; and 

a — program — storing — s tep — ©■§ — storing the said specific 
expansion processing program — extracted — fey — said — content — data 
analyzing section , and characterized i*i that wherein said 
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expansion processing step executes — expansion — proccaoing — with 
reapect — fco — the — compressed contents — stored — in — said data — storing 

step is executed by applying the said specific expansion 

processing program stored — ifi — oaid — program — storing — step — to 
the said compressed contents. 

170. (AMENDED) The data processing method according to 
Claim 168, characterised in that wherein: 

—reproduction priority information of feheis 

associated with said compressed contents , said reproduction 

priority information being 4rB included in said header 

information^ and— 

if there are a plurality of compressed contents that 
4-s — ob j ccts — o# — expansion — processing , said — content expansion 

processing step including sequentially executes executing 

content said expansion processing in accordance with the 
priority — based — en — the said reproduction p riority information 

in th e header information obtained in said — content data 

analyzing step . 

171. (AMENDED) The data processing method according to Claim 
16 8, characterized by comprising f urther including: 

~~a — retrieving — s tep — of — retrieving an — said specific 
expansion processing program-; — and — characterized — in — that — said 

retrieving step retrieves an — expansion — processing — program 

applicable — to — a — type — of — the — compression processing — program — o# 

thc compressed contents analyzed in said content data 

analyzing — step with from a program storing means accessible fey 
said — data processing apparatus as an object of retrieval. 

172 . (AMENDED) The data processing method according to Claim 
168, characterized by further comprising including : 

a — displaying — step — of — displaying information of said 
compressed contents o n — displaying — means — information — of — the 
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compressed — contents — that — arc — ob j ccts — e-f — expansion — proccoaing ; 
and 

an — inputting — step — — inputting reproduction contents 
identification data selected from tfee — content — said displayed 

information^ displayed en said displaying means , and 

characterized — in — that wherein said — expansion — processing — step 
executes said expansion processing e€ — is performed on said thc 
compressed contents corresponding to the — identification — data 
based — en — the said reproduction contents identification data 
inputted from said inputting means . 

173. (AMENDED) A content data generating method for 
performing generation — processing — e #generat ing content data_^ 
said content data being provided by a storage medium or a 
communication medium, characterised by comprising : 

combining compressed contents and an expansion 
processing program; and 

—generating said content data in which including said 
compressed contents and an — said expansion processing program 
e£ — the compressed contents — arc combined . 

174 . (AMENDED) The content data generating method according 
to Claim 173, characterized in that further including: 

adding a — configuration information o# — the — content 
data — is added as header information of said content data. 

175. (AMENDED) The content data generating method according 

to Claim 173, characterized tn that wherein said header 

information includes reproduction priority information of 

contents included in said thc content data as header 

information of the — content data . 

176. (AMENDED) A content data generating method for 
performing — generation — processing — e #generat ing content data_^ 
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said content data being provided by a storage medium or a 

communication medium, char actcri sod ±rt that content data 

jr& said method comprising: 

generated — i** — which — a — type — &€ content — data f-e^? 

identifying whether the said content data has , as header 
information, compressed contents or an expansion processing 
program io added ao header — information ; 

if the said content data has said compressed 
contents , applying a type of — a compression processing program 
appl icd — to the said compressed contents i-s — added — as header 
information; and 

if the said content data has aR said expansion 

processing program, adding a type of an — expansion processing 
program is added as header information. 

177. (AMENDED) The content data generating method according 
to Claim 176, characterized in that further including: 

— adding reproduc t ion priority information e# 
contents — included — ±rt — the — content — data — ±-s — added — as header 
information of said content data. 

178. (AMENDED) A program — providing recording medium recorded 
with f or — providing a computer program that — causes — a — computer 
system — fc-e — execute — reproduction — processing — e# for reproducing 
content data , said content data including compressed contents 
and an expansion processing program for said compressed 
contents, and said content data being provided by a storage 

medium or a communication medium, characterized by said 

computer program comprising : 

a — content — data — analyzing — step — e-f — execut ing content 

data analysis of said content data including compressed 

contents and a*i expansion processing program e# said 

compressed contents , j_ and 
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executing extraction processing e€ thc extr acting 

said compressed contents and tfeesaid expansion processing 
program from said content data; and 

aa — expansion — proccooing — otcp — e£ — executing expansion 
processing of the said extracted content data included — i** — oaid 
content — data — using a** — said extracted expansion processing 
program included — 3rR — the — content — data — obtained — a-s — a — rcoult — e# 
the analysis of — said content — data analyzing section . 
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